diff --git a/k8s/aws/atst-nginx-configmap.yml b/k8s/aws/atst-nginx-configmap.yml
index cd0d051e..2818ff2d 100644
--- a/k8s/aws/atst-nginx-configmap.yml
+++ b/k8s/aws/atst-nginx-configmap.yml
@@ -9,11 +9,10 @@ data:
     server {
         server_name aws.atat.code.mil;
         # access_log /var/log/nginx/access.log json;
-        listen 8442;
-        listen [::]:8442 ipv6only=on;
-        # if ($http_x_forwarded_proto != 'https') {
-        #     return 301 https://$host$request_uri;
-        # }
+        listen 8442 ssl;
+        listen [::]:8442 ssl ipv6only=on;
+        ssl_certificate /etc/ssl/private/atat.crt;
+        ssl_certificate_key /etc/ssl/private/atat.key;
         location /login-redirect {
             return 301 https://auth-aws.atat.code.mil$request_uri;
         }
@@ -39,29 +38,14 @@ data:
     server {
         # access_log /var/log/nginx/access.log json;
         server_name auth-aws.atat.code.mil;
-        listen 8443;
-        listen [::]:8443 ipv6only=on;
-        # SSL server certificate and private key
-        # ssl_certificate /etc/ssl/private/auth.atat.crt;
-        # ssl_certificate_key /etc/ssl/private/auth.atat.key;
-        # Set SSL protocols, ciphers, and related options
-        # ssl_protocols TLSv1.3 TLSv1.2;
-        # ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
-        # ssl_prefer_server_ciphers on;
-        # ssl_ecdh_curve secp384r1;
-        # ssl_dhparam /etc/ssl/dhparam.pem;
-        # SSL session options
-        # ssl_session_timeout 4h;
-        # ssl_session_cache shared:SSL:10m;   # 1mb = ~4000 sessions
-        # ssl_session_tickets off;
-        # OCSP Stapling
-        # ssl_stapling on;
-        # ssl_stapling_verify on;
-        # resolver 8.8.8.8 8.8.4.4;
+        listen 8443 ssl;
+        listen [::]:8443 ssl ipv6only=on;
+        ssl_certificate /etc/ssl/private/atat.crt;
+        ssl_certificate_key /etc/ssl/private/atat.key;
         # Request and validate client certificate
-        # ssl_verify_client on;
-        # ssl_verify_depth 10;
-        # ssl_client_certificate /etc/ssl/client-ca-bundle.pem;
+        ssl_verify_client on;
+        ssl_verify_depth 10;
+        ssl_client_certificate /etc/ssl/client-ca-bundle.pem;
         # Guard against HTTPS -> HTTP downgrade
         add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; always";
         location / {
@@ -73,12 +57,12 @@ data:
         location @app {
             include uwsgi_params;
             uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket;
-            # uwsgi_param HTTP_X_SSL_CLIENT_VERIFY $ssl_client_verify;
-            # uwsgi_param HTTP_X_SSL_CLIENT_CERT $ssl_client_raw_cert;
-            # uwsgi_param HTTP_X_SSL_CLIENT_S_DN $ssl_client_s_dn;
-            # uwsgi_param HTTP_X_SSL_CLIENT_S_DN_LEGACY $ssl_client_s_dn_legacy;
-            # uwsgi_param HTTP_X_SSL_CLIENT_I_DN $ssl_client_i_dn;
-            # uwsgi_param HTTP_X_SSL_CLIENT_I_DN_LEGACY $ssl_client_i_dn_legacy;
+            uwsgi_param HTTP_X_SSL_CLIENT_VERIFY $ssl_client_verify;
+            uwsgi_param HTTP_X_SSL_CLIENT_CERT $ssl_client_raw_cert;
+            uwsgi_param HTTP_X_SSL_CLIENT_S_DN $ssl_client_s_dn;
+            uwsgi_param HTTP_X_SSL_CLIENT_S_DN_LEGACY $ssl_client_s_dn_legacy;
+            uwsgi_param HTTP_X_SSL_CLIENT_I_DN $ssl_client_i_dn;
+            uwsgi_param HTTP_X_SSL_CLIENT_I_DN_LEGACY $ssl_client_i_dn_legacy;
             uwsgi_param HTTP_X_REQUEST_ID $request_id;
         }
     }
diff --git a/k8s/aws/aws.yml b/k8s/aws/aws.yml
index a5ab4588..ceaa8993 100644
--- a/k8s/aws/aws.yml
+++ b/k8s/aws/aws.yml
@@ -60,6 +60,10 @@ spec:
             - name: nginx-htpasswd
               mountPath: "/etc/nginx/.htpasswd"
               subPath: .htpasswd
+            - name: tls
+              mountPath: "/etc/ssl/private"
+            - name: nginx-client-ca-bundle
+              mountPath: "/etc/ssl/"
       volumes:
         - name: atst-config
           secret:
@@ -91,6 +95,16 @@ spec:
             - key: htpasswd
               path: .htpasswd
               mode: 0640
+        - name: tls
+          secret:
+            secretName: aws-atat-code-mil-tls
+            items:
+            - key: tls.crt
+              path: atat.crt
+              mode: 0644
+            - key: tls.key
+              path: atat.key
+              mode: 0640
 ---
 apiVersion: extensions/v1beta1
 kind: Deployment
@@ -155,7 +169,7 @@ metadata:
     service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
 spec:
   ports:
-  - port: 80
+  - port: 443
     targetPort: 8442
   selector:
     role: web
@@ -172,7 +186,7 @@ metadata:
     service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
 spec:
   ports:
-  - port: 80
+  - port: 443
     targetPort: 8443
   selector:
     role: web
diff --git a/k8s/azure/atst-nginx-configmap.yml b/k8s/azure/atst-nginx-configmap.yml
index 77f69e5f..c4b55d7a 100644
--- a/k8s/azure/atst-nginx-configmap.yml
+++ b/k8s/azure/atst-nginx-configmap.yml
@@ -9,11 +9,10 @@ data:
     server {
         server_name azure.atat.code.mil;
         # access_log /var/log/nginx/access.log json;
-        listen 8442;
-        listen [::]:8442 ipv6only=on;
-        # if ($http_x_forwarded_proto != 'https') {
-        #     return 301 https://$host$request_uri;
-        # }
+        listen 8442 ssl;
+        listen [::]:8442 ssl ipv6only=on;
+        ssl_certificate /etc/ssl/private/atat.crt;
+        ssl_certificate_key /etc/ssl/private/atat.key;
         location /login-redirect {
             return 301 https://auth-azure.atat.code.mil$request_uri;
         }
@@ -39,29 +38,14 @@ data:
     server {
         # access_log /var/log/nginx/access.log json;
         server_name auth-azure.atat.code.mil;
-        listen 8443;
-        listen [::]:8443 ipv6only=on;
-        # SSL server certificate and private key
-        # ssl_certificate /etc/ssl/private/auth.atat.crt;
-        # ssl_certificate_key /etc/ssl/private/auth.atat.key;
-        # Set SSL protocols, ciphers, and related options
-        # ssl_protocols TLSv1.3 TLSv1.2;
-        # ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
-        # ssl_prefer_server_ciphers on;
-        # ssl_ecdh_curve secp384r1;
-        # ssl_dhparam /etc/ssl/dhparam.pem;
-        # SSL session options
-        # ssl_session_timeout 4h;
-        # ssl_session_cache shared:SSL:10m;   # 1mb = ~4000 sessions
-        # ssl_session_tickets off;
-        # OCSP Stapling
-        # ssl_stapling on;
-        # ssl_stapling_verify on;
-        # resolver 8.8.8.8 8.8.4.4;
+        listen 8443 ssl;
+        listen [::]:8443 ssl ipv6only=on;
+        ssl_certificate /etc/ssl/private/atat.crt;
+        ssl_certificate_key /etc/ssl/private/atat.key;
         # Request and validate client certificate
-        # ssl_verify_client on;
-        # ssl_verify_depth 10;
-        # ssl_client_certificate /etc/ssl/client-ca-bundle.pem;
+        ssl_verify_client on;
+        ssl_verify_depth 10;
+        ssl_client_certificate /etc/ssl/client-ca-bundle.pem;
         # Guard against HTTPS -> HTTP downgrade
         add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; always";
         location / {
@@ -73,12 +57,12 @@ data:
         location @app {
             include uwsgi_params;
             uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket;
-            # uwsgi_param HTTP_X_SSL_CLIENT_VERIFY $ssl_client_verify;
-            # uwsgi_param HTTP_X_SSL_CLIENT_CERT $ssl_client_raw_cert;
-            # uwsgi_param HTTP_X_SSL_CLIENT_S_DN $ssl_client_s_dn;
-            # uwsgi_param HTTP_X_SSL_CLIENT_S_DN_LEGACY $ssl_client_s_dn_legacy;
-            # uwsgi_param HTTP_X_SSL_CLIENT_I_DN $ssl_client_i_dn;
-            # uwsgi_param HTTP_X_SSL_CLIENT_I_DN_LEGACY $ssl_client_i_dn_legacy;
+            uwsgi_param HTTP_X_SSL_CLIENT_VERIFY $ssl_client_verify;
+            uwsgi_param HTTP_X_SSL_CLIENT_CERT $ssl_client_raw_cert;
+            uwsgi_param HTTP_X_SSL_CLIENT_S_DN $ssl_client_s_dn;
+            uwsgi_param HTTP_X_SSL_CLIENT_S_DN_LEGACY $ssl_client_s_dn_legacy;
+            uwsgi_param HTTP_X_SSL_CLIENT_I_DN $ssl_client_i_dn;
+            uwsgi_param HTTP_X_SSL_CLIENT_I_DN_LEGACY $ssl_client_i_dn_legacy;
             uwsgi_param HTTP_X_REQUEST_ID $request_id;
         }
     }
diff --git a/k8s/azure/azure.yml b/k8s/azure/azure.yml
index 8fc03623..a3854665 100644
--- a/k8s/azure/azure.yml
+++ b/k8s/azure/azure.yml
@@ -60,6 +60,10 @@ spec:
             - name: nginx-htpasswd
               mountPath: "/etc/nginx/.htpasswd"
               subPath: .htpasswd
+            - name: tls
+              mountPath: "/etc/ssl/private"
+            - name: nginx-client-ca-bundle
+              mountPath: "/etc/ssl/"
       volumes:
         - name: atst-config
           secret:
@@ -91,6 +95,16 @@ spec:
             - key: htpasswd
               path: .htpasswd
               mode: 0640
+        - name: tls
+          secret:
+            secretName: azure-atat-code-mil-tls
+            items:
+            - key: tls.crt
+              path: atat.crt
+              mode: 0644
+            - key: tls.key
+              path: atat.key
+              mode: 0640
 ---
 apiVersion: extensions/v1beta1
 kind: Deployment
@@ -154,7 +168,7 @@ metadata:
 spec:
   loadBalancerIP: 13.92.235.6
   ports:
-  - port: 80
+  - port: 443
     targetPort: 8442
   selector:
     role: web
@@ -170,7 +184,7 @@ metadata:
 spec:
   loadBalancerIP: 23.100.24.41
   ports:
-  - port: 80
+  - port: 443
     targetPort: 8443
   selector:
     role: web