diff --git a/pkg/reconciler/route/resources/ingress.go b/pkg/reconciler/route/resources/ingress.go
index 5046b486120d..ba2dc4ab1b43 100644
--- a/pkg/reconciler/route/resources/ingress.go
+++ b/pkg/reconciler/route/resources/ingress.go
@@ -29,6 +29,7 @@ import (
 
 	"knative.dev/networking/pkg/apis/networking"
 	netv1alpha1 "knative.dev/networking/pkg/apis/networking/v1alpha1"
+	netcfg "knative.dev/networking/pkg/config"
 	netheader "knative.dev/networking/pkg/http/header"
 	ingress "knative.dev/networking/pkg/ingress"
 	"knative.dev/pkg/kmeta"
@@ -183,6 +184,18 @@ func makeIngressSpec(
 					rule.HTTP.Paths[0].AppendHeaders[netheader.RouteTagKey] = name
 				}
 			}
+
+			// if this is a private rule, and internal encryption is on, we need to stick the certs in the tls seciton
+			if visibility == netv1alpha1.IngressVisibilityClusterLocal && networkConfig.InternalEncryption {
+				for domain := range domains {
+					tls = append(tls, netv1alpha1.IngressTLS{
+						Hosts:           []string{domain},
+						SecretName:      netcfg.ServingInternalCertName,
+						SecretNamespace: r.Namespace,
+					})
+				}
+
+			}
 			// If this is a public rule, we need to configure ACME challenge paths.
 			if visibility == netv1alpha1.IngressVisibilityExternalIP {
 				paths, hosts := MakeACMEIngressPaths(acmeChallenges, domains)