diff --git a/kube/certs/certs.go b/kube/certs/certs.go
index dd8fd7d79..4c8ac88b6 100644
--- a/kube/certs/certs.go
+++ b/kube/certs/certs.go
@@ -53,6 +53,7 @@ func (cm *CertManager) EnsureCertLoops(ctx context.Context, sc *ipn.ServeConfig)
 	currentDomains := make(map[string]bool)
 	const httpsPort = "443"
 	for _, service := range sc.Services {
+		// L7 Web handlers (HA Ingress).
 		for hostPort := range service.Web {
 			domain, port, err := net.SplitHostPort(string(hostPort))
 			if err != nil {
@@ -63,6 +64,12 @@ func (cm *CertManager) EnsureCertLoops(ctx context.Context, sc *ipn.ServeConfig)
 			}
 			currentDomains[domain] = true
 		}
+		// L4 TCP handlers with TLS termination (kube-apiserver proxy).
+		for _, handler := range service.TCP {
+			if handler != nil && handler.TerminateTLS != "" {
+				currentDomains[handler.TerminateTLS] = true
+			}
+		}
 	}
 	cm.mu.Lock()
 	defer cm.mu.Unlock()
diff --git a/kube/certs/certs_test.go b/kube/certs/certs_test.go
index 91196f576..f3662f6c3 100644
--- a/kube/certs/certs_test.go
+++ b/kube/certs/certs_test.go
@@ -127,6 +127,43 @@ func TestEnsureCertLoops(t *testing.T) {
 			initialGoroutines: 2, // initially two loops (one per service)
 			updatedGoroutines: 1, // one loop after removing service2
 		},
+		{
+			name: "tcp_terminate_tls",
+			initialConfig: &ipn.ServeConfig{
+				Services: map[tailcfg.ServiceName]*ipn.ServiceConfig{
+					"svc:my-apiserver": {
+						TCP: map[uint16]*ipn.TCPPortHandler{
+							443: {
+								TCPForward:   "localhost:80",
+								TerminateTLS: "my-apiserver.tailnetxyz.ts.net",
+							},
+						},
+					},
+				},
+			},
+			initialGoroutines: 1,
+		},
+		{
+			name: "tcp_terminate_tls_and_web",
+			initialConfig: &ipn.ServeConfig{
+				Services: map[tailcfg.ServiceName]*ipn.ServiceConfig{
+					"svc:my-apiserver": {
+						TCP: map[uint16]*ipn.TCPPortHandler{
+							443: {
+								TCPForward:   "localhost:80",
+								TerminateTLS: "my-apiserver.tailnetxyz.ts.net",
+							},
+						},
+					},
+					"svc:my-app": {
+						Web: map[ipn.HostPort]*ipn.WebServerConfig{
+							"my-app.tailnetxyz.ts.net:443": {},
+						},
+					},
+				},
+			},
+			initialGoroutines: 2,
+		},
 		{
 			name: "add_domain",
 			initialConfig: &ipn.ServeConfig{
@@ -171,6 +208,7 @@ func TestEnsureCertLoops(t *testing.T) {
 								CertDomains: []string{
 									"my-app.tailnetxyz.ts.net",
 									"my-other-app.tailnetxyz.ts.net",
+									"my-apiserver.tailnetxyz.ts.net",
 								},
 							},
 						},