diff --git a/templates/_backendTLSConfig.tpl b/templates/_backendTLSConfig.tpl
new file mode 100644
index 0000000..08e705d
--- /dev/null
+++ b/templates/_backendTLSConfig.tpl
@@ -0,0 +1,32 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{/* annotations */}}
+
+{{- define "reposilite.backendTLSConfig.annotations" -}}
+{{ include "reposilite.annotations" . }}
+{{- if .Values.gatewayAPI.core.backendTLSConfig.annotations }}
+{{ toYaml .Values.gatewayAPI.core.backendTLSConfig.annotations }}
+{{- end }}
+{{- end }}
+
+{{/* enabled */}}
+
+{{- define "reposilite.backendTLSConfig.enabled" -}}
+{{- if and .Values.gatewayAPI.enabled
+           .Values.gatewayAPI.core.backendTLSConfig.enabled
+           .Values.service.enabled
+-}}
+true
+{{- else -}}
+false
+{{- end -}}
+{{- end }}
+
+{{/* labels */}}
+
+{{- define "reposilite.backendTLSConfig.labels" -}}
+{{ include "reposilite.labels" . }}
+{{- if .Values.gatewayAPI.core.backendTLSConfig.labels }}
+{{ toYaml .Values.gatewayAPI.core.backendTLSConfig.labels }}
+{{- end }}
+{{- end }}
diff --git a/templates/backendTLSConfig.yaml b/templates/backendTLSConfig.yaml
new file mode 100644
index 0000000..e12395f
--- /dev/null
+++ b/templates/backendTLSConfig.yaml
@@ -0,0 +1,25 @@
+{{- if eq (include "reposilite.backendTLSConfig.enabled" $) "true" }}
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: BackendTLSPolicy
+metadata:
+  {{- with (include "reposilite.backendTLSConfig.annotations" . | fromYaml) }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with (include "reposilite.backendTLSConfig.labels" . | fromYaml) }}
+  labels:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  name: {{ include "reposilite.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  targetRefs:
+    - group: ""
+      kind: Service
+      name: {{ include "reposilite.service.name" . }}
+  {{- with .Values.gatewayAPI.core.backendTLSConfig.validation }}
+  validation:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end -}}
\ No newline at end of file
diff --git a/unittests/backendTLSConfig/backendTLSConfig.yaml b/unittests/backendTLSConfig/backendTLSConfig.yaml
new file mode 100644
index 0000000..254a5b7
--- /dev/null
+++ b/unittests/backendTLSConfig/backendTLSConfig.yaml
@@ -0,0 +1,111 @@
+chart:
+  appVersion: 0.1.0
+  version: 0.1.0
+suite: BackendTLSConfig template
+release:
+  name: reposilite-unittest
+  namespace: testing
+templates:
+- templates/backendTLSConfig.yaml
+tests:
+- it: Skip rendering when disabled 1/6
+  set:
+    gatewayAPI.enabled: false
+    gatewayAPI.core.backendTLSConfig.enabled: false
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 2/6
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.backendTLSConfig.enabled: false
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 3/6
+  set:
+    gatewayAPI.enabled: false
+    gatewayAPI.core.backendTLSConfig.enabled: true
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 4/6
+  set:
+    gatewayAPI.enabled: false
+    gatewayAPI.core.backendTLSConfig.enabled: false
+    service.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 5/6
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.backendTLSConfig.enabled: false
+    service.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip rendering when disabled 6/6
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.backendTLSConfig.enabled: true
+    service.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Render default values
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.backendTLSConfig.enabled: true
+    # gatewayAPI.core.backendTLSConfig.validation:
+    #   caCertificateRefs:
+    #     - group: ""
+    #       kind: Secret
+    #       name: reposilite-ca
+    #   hostname: reposilite.svc.cluster.local
+    service.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 1
+  - containsDocument:
+      apiVersion: gateway.networking.k8s.io/v1
+      kind: BackendTLSPolicy
+      name: reposilite-unittest
+      namespace: testing
+  - contains:
+      path: spec.targetRefs
+      content:
+        group: ""
+        kind: Service
+        name: reposilite-unittest
+  - notExists:
+      path: spec.validation.caCertificateRefs
+
+- it: Render with custom validation
+  set:
+    gatewayAPI.enabled: true
+    gatewayAPI.core.backendTLSConfig.enabled: true
+    gatewayAPI.core.backendTLSConfig.validation:
+      caCertificateRefs:
+        - group: ""
+          kind: Secret
+          name: reposilite-ca
+      hostname: reposilite.svc.cluster.local
+    service.enabled: true
+  asserts:
+  - isSubset:
+      path: spec.validation
+      content:
+        caCertificateRefs:
+          - group: ""
+            kind: Secret
+            name: reposilite-ca
\ No newline at end of file