@nicolasmi I forgot to mention, sorry - you have to use exportTo: '.' in your destination rule, so the destination rule will be applied in the egress gateway’s namespace only and the certificate will be loaded in that namespace only (for the egress gateway only).