diff --git a/apisix/core/env.lua b/apisix/core/env.lua
index 2bab043..6a57a70 100644
--- a/apisix/core/env.lua
+++ b/apisix/core/env.lua
@@ -87,6 +87,7 @@
 
 
 function _M.fetch_by_uri(env_uri)
+    log.info("fetching data from env uri: ", env_uri)
     local opts, err = parse_env_uri(env_uri)
     if not opts then
         return nil, err
diff --git a/apisix/schema_def.lua b/apisix/schema_def.lua
index f320744..2e289db 100644
--- a/apisix/schema_def.lua
+++ b/apisix/schema_def.lua
@@ -714,6 +714,12 @@
 _M.upstream = upstream_schema
 
 
+local secret_uri_schema = {
+    type = "string",
+    pattern = "^\\$(secret|env|ENV)://"
+}
+
+
 _M.ssl = {
     type = "object",
     properties = {
@@ -729,14 +735,13 @@
         cert = {
             oneOf = {
                 certificate_scheme,
-                -- TODO: uniformly define the schema of secret_uri
-                { type = "string", pattern = "^\\$(secret|env)://"}
+                secret_uri_schema
             }
         },
         key = {
             oneOf = {
                 private_key_schema,
-                { type = "string", pattern = "^\\$(secret|env)://"}
+                secret_uri_schema
             }
         },
         sni = {
@@ -753,11 +758,21 @@
         },
         certs = {
             type = "array",
-            items = certificate_scheme,
+            items = {
+                oneOf = {
+                    certificate_scheme,
+                    secret_uri_schema
+                }
+            }
         },
         keys = {
             type = "array",
-            items = private_key_schema,
+            items = {
+                oneOf = {
+                    private_key_schema,
+                    secret_uri_schema
+                }
+            }
         },
         client = {
             type = "object",
diff --git a/apisix/secret.lua b/apisix/secret.lua
index 6ba0276..60e575b 100644
--- a/apisix/secret.lua
+++ b/apisix/secret.lua
@@ -135,6 +135,7 @@
 
 
 local function fetch_by_uri(secret_uri)
+    core.log.info("fetching data from secret uri: ", secret_uri)
     local opts, err = parse_secret_uri(secret_uri)
     if not opts then
         return nil, err
diff --git a/apisix/ssl.lua b/apisix/ssl.lua
index 81fdf1c..ad82082 100644
--- a/apisix/ssl.lua
+++ b/apisix/ssl.lua
@@ -278,8 +278,8 @@
     end
 
     for i = 1, numcerts do
-        if not secret.check_secret_uri(conf.cert[i]) and
-            not secret.check_secret_uri(conf.key[i]) then
+        if not secret.check_secret_uri(conf.certs[i]) and
+            not secret.check_secret_uri(conf.keys[i]) then
 
             local ok, err = validate(conf.certs[i], conf.keys[i])
             if not ok then
diff --git a/docs/en/latest/admin-api.md b/docs/en/latest/admin-api.md
index e280762..d928e7a 100644
--- a/docs/en/latest/admin-api.md
+++ b/docs/en/latest/admin-api.md
@@ -1204,8 +1204,8 @@
 | ------------ | -------- | ------------------------ | -------------------------------------------------------------------------------------------------------------- | ------------------------------------------------ |
 | cert         | True     | Certificate              | HTTPS certificate. This field supports saving the value in Secret Manager using the [APISIX Secret](./terminology/secret.md) resource.                                                                                             |                                                  |
 | key          | True     | Private key              | HTTPS private key. This field supports saving the value in Secret Manager using the [APISIX Secret](./terminology/secret.md) resource.                                                                                             |                                                  |
-| certs        | False    | An array of certificates | Used for configuring multiple certificates for the same domain excluding the one provided in the `cert` field. |                                                  |
-| keys         | False    | An array of private keys | Private keys to pair with the `certs`.                                                                         |                                                  |
+| certs        | False    | An array of certificates | Used for configuring multiple certificates for the same domain excluding the one provided in the `cert` field. This field supports saving the value in Secret Manager using the [APISIX Secret](./terminology/secret.md) resource.  |                                                  |
+| keys         | False    | An array of private keys | Private keys to pair with the `certs`. This field supports saving the value in Secret Manager using the [APISIX Secret](./terminology/secret.md) resource.                                                                   |                                                  |
 | client.ca    | False    | Certificate              | Sets the CA certificate that verifies the client. Requires OpenResty 1.19+.                                    |                                                  |
 | client.depth | False    | Certificate              | Sets the verification depth in client certificate chains. Defaults to 1. Requires OpenResty 1.19+.             |                                                  |
 | client.skip_mtls_uri_regex | False    | An array of regular expressions, in PCRE format              | Used to match URI, if matched, this request bypasses the client certificate checking, i.e. skip the MTLS.             | ["/hello[0-9]+", "/foobar"]                                                |
diff --git a/docs/zh/latest/admin-api.md b/docs/zh/latest/admin-api.md
index 461771a..5cefb42 100644
--- a/docs/zh/latest/admin-api.md
+++ b/docs/zh/latest/admin-api.md
@@ -1205,8 +1205,8 @@
 | ----------- | ------ | -------------- | ------------------------------------------------------------------------------------------------------ | ------------------------------------------------ |
 | cert        | 是     | 证书           | HTTP 证书。该字段支持使用 [APISIX Secret](./terminology/secret.md) 资源，将值保存在 Secret Manager 中。                                                                                             |                                                  |
 | key         | 是     | 私钥           | HTTPS 证书私钥。该字段支持使用 [APISIX Secret](./terminology/secret.md) 资源，将值保存在 Secret Manager 中。                                                                                         |                                                  |
-| certs       | 否   | 证书字符串数组 | 当你想给同一个域名配置多个证书时，除了第一个证书需要通过 `cert` 传递外，剩下的证书可以通过该参数传递上来。 |                                                  |
-| keys        | 否   | 私钥字符串数组 | `certs` 对应的证书私钥，需要与 `certs` 一一对应。                                                          |                                                  |
+| certs       | 否   | 证书字符串数组 | 当你想给同一个域名配置多个证书时，除了第一个证书需要通过 `cert` 传递外，剩下的证书可以通过该参数传递上来。该字段支持使用 [APISIX Secret](./terminology/secret.md) 资源，将值保存在 Secret Manager 中。 |                                                  |
+| keys        | 否   | 私钥字符串数组 | `certs` 对应的证书私钥，需要与 `certs` 一一对应。该字段支持使用 [APISIX Secret](./terminology/secret.md) 资源，将值保存在 Secret Manager 中。                                                          |                                                  |
 | client.ca   | 否   | 证书 |  设置将用于客户端证书校验的 `CA` 证书。该特性需要 OpenResty 为 1.19 及以上版本。  |                                                  |
 | client.depth | 否   | 辅助 |  设置客户端证书校验的深度，默认为 1。该特性需要 OpenResty 为 1.19 及以上版本。 |                                             |
 | client.skip_mtls_uri_regex | 否   | PCRE 正则表达式数组 |  用来匹配请求的 URI，如果匹配，则该请求将绕过客户端证书的检查，也就是跳过 MTLS。 | ["/hello[0-9]+", "/foobar"]                                            |
diff --git a/t/admin/ssl.t b/t/admin/ssl.t
index b03eb49..24a2c99 100644
--- a/t/admin/ssl.t
+++ b/t/admin/ssl.t
@@ -680,3 +680,123 @@
 GET /t
 --- response_body chomp
 passed
+
+
+
+=== TEST 21: set ssl with sercret
+--- config
+    location /t {
+        content_by_lua_block {
+            local core = require("apisix.core")
+            local t = require("lib.test_admin")
+
+            local data = {
+                sni = "test.com",
+                cert = "$secret://vault/test/ssl/test.com.crt",
+                key = "$secret://vault/test/ssl/test.com.key",
+                certs = {"$secret://vault/test/ssl/test.com.2.crt"},
+                keys = {"$secret://vault/test/ssl/test.com.2.key"}
+            }
+
+            local code, body = t.test('/apisix/admin/ssls/1',
+                ngx.HTTP_PUT,
+                core.json.encode(data),
+                [[{
+                    "value": {
+                        "sni": "test.com",
+                        "cert": "$secret://vault/test/ssl/test.com.crt",
+                        "key": "$secret://vault/test/ssl/test.com.key",
+                        "certs": ["$secret://vault/test/ssl/test.com.2.crt"],
+                        "keys": ["$secret://vault/test/ssl/test.com.2.key"]
+                    },
+                    "key": "/apisix/ssls/1"
+                }]]
+                )
+
+            ngx.status = code
+            ngx.say(body)
+        }
+    }
+--- request
+GET /t
+--- response_body
+passed
+
+
+
+=== TEST 22: set ssl with env, and prefix is all uppercase or lowercase
+--- config
+    location /t {
+        content_by_lua_block {
+            local core = require("apisix.core")
+            local t = require("lib.test_admin")
+
+            local data = {
+                sni = "test.com",
+                cert = "$ENV://APISIX_TEST_SSL_CERT",
+                key = "$env://APISIX_TEST_SSL_KEY",
+                certs = {"$env://APISIX_TEST_SSL_CERTS"},
+                keys = {"$ENV://APISIX_TEST_SSL_KEYS"},
+            }
+
+            local code, body = t.test('/apisix/admin/ssls/1',
+                ngx.HTTP_PUT,
+                core.json.encode(data),
+                [[{
+                    "value": {
+                        "sni": "test.com",
+                        "cert": "$ENV://APISIX_TEST_SSL_CERT",
+                        "key": "$env://APISIX_TEST_SSL_KEY",
+                        "certs": ["$env://APISIX_TEST_SSL_CERTS"],
+                        "keys": ["$ENV://APISIX_TEST_SSL_KEYS"]
+                    },
+                    "key": "/apisix/ssls/1"
+                }]]
+                )
+
+            ngx.status = code
+            ngx.say(body)
+        }
+    }
+--- request
+GET /t
+--- response_body
+passed
+
+
+
+=== TEST 23: set ssl with invalid prefix
+--- config
+    location /t {
+        content_by_lua_block {
+            local core = require("apisix.core")
+            local t = require("lib.test_admin")
+
+            local data = {
+                sni = "test.com",
+                cert = "$ENV://APISIX_TEST_SSL_CERT",
+                key = "$env://APISIX_TEST_SSL_KEY",
+                certs = {"https://APISIX_TEST_SSL_CERTS"},
+                keys = {"$ENV://APISIX_TEST_SSL_KEYS"},
+            }
+
+            local code, body = t.test('/apisix/admin/ssls/1',
+                ngx.HTTP_PUT,
+                core.json.encode(data),
+                [[{
+                    "value": {
+                        "sni": "test.com"
+                    },
+                    "key": "/apisix/ssls/1"
+                }]]
+                )
+
+            ngx.status = code
+            ngx.print(body)
+        }
+    }
+--- request
+GET /t
+--- error_code: 400
+--- response_body
+{"error_msg":"invalid configuration: property \"certs\" validation failed: failed to validate item 1: value should match only one schema, but matches none"}
diff --git a/t/node/ssl.t b/t/node/ssl.t
new file mode 100644
index 0000000..3334736
--- /dev/null
+++ b/t/node/ssl.t
@@ -0,0 +1,243 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+BEGIN {
+    sub set_env_from_file {
+        my ($env_name, $file_path) = @_;
+
+        open my $fh, '<', $file_path or die $!;
+        my $content = do { local $/; <$fh> };
+        close $fh;
+
+        $ENV{$env_name} = $content;
+    }
+    # set env
+    set_env_from_file('TEST_CERT', 't/certs/apisix.crt');
+    set_env_from_file('TEST_KEY', 't/certs/apisix.key');
+    set_env_from_file('TEST2_CERT', 't/certs/test2.crt');
+    set_env_from_file('TEST2_KEY', 't/certs/test2.key');
+}
+
+use t::APISIX 'no_plan';
+
+log_level('info');
+no_root_location();
+
+sub set_env_from_file {
+    my ($env_name, $file_path) = @_;
+
+    open my $fh, '<', $file_path or die $!;
+    my $content = do { local $/; <$fh> };
+    close $fh;
+
+    $ENV{$env_name} = $content;
+}
+
+
+add_block_preprocessor(sub {
+    my ($block) = @_;
+
+    if (!$block->request) {
+        $block->set_value("request", "GET /t");
+    }
+
+});
+
+run_tests;
+
+__DATA__
+
+=== TEST 1: store two certs and keys in vault
+--- exec
+VAULT_TOKEN='root' VAULT_ADDR='http://0.0.0.0:8200' vault kv put kv/apisix/ssl \
+    test.com.crt=@t/certs/apisix.crt \
+    test.com.key=@t/certs/apisix.key \
+    test.com.2.crt=@t/certs/test2.crt \
+    test.com.2.key=@t/certs/test2.key
+--- response_body
+Success! Data written to: kv/apisix/ssl
+
+
+
+=== TEST 2: set secret
+--- config
+    location /t {
+        content_by_lua_block {
+            local t = require("lib.test_admin").test
+            local code, body = t('/apisix/admin/secrets/vault/test',
+                ngx.HTTP_PUT,
+                [[{
+                    "uri": "http://0.0.0.0:8200",
+                    "prefix": "kv/apisix",
+                    "token": "root"
+                }]],
+                [[{
+                    "key": "/apisix/secrets/vault/test",
+                    "value": {
+                        "uri": "http://0.0.0.0:8200",
+                        "prefix": "kv/apisix",
+                        "token": "root"
+                    }
+                }]]
+                )
+            ngx.status = code
+            ngx.say(body)
+        }
+    }
+--- request
+GET /t
+--- response_body
+passed
+
+
+
+=== TEST 3: set ssl with two certs and keys in vault
+--- config
+    location /t {
+        content_by_lua_block {
+            local core = require("apisix.core")
+            local t = require("lib.test_admin")
+
+            local data = {
+                snis = {"test.com"},
+                key =  "$secret://vault/test/ssl/test.com.key",
+                cert = "$secret://vault/test/ssl/test.com.crt",
+                keys = {"$secret://vault/test/ssl/test.com.2.key"},
+                certs = {"$secret://vault/test/ssl/test.com.2.crt"}
+            }
+
+            local code, body = t.test('/apisix/admin/ssls/1',
+                ngx.HTTP_PUT,
+                core.json.encode(data),
+                [[{
+                    "value": {
+                        "snis": ["test.com"],
+                        "key": "$secret://vault/test/ssl/test.com.key",
+                        "cert": "$secret://vault/test/ssl/test.com.crt",
+                        "keys": ["$secret://vault/test/ssl/test.com.2.key"],
+                        "certs": ["$secret://vault/test/ssl/test.com.2.crt"]
+                    },
+                    "key": "/apisix/ssls/1"
+                }]]
+              )
+
+            ngx.status = code
+            ngx.say(body)
+        }
+    }
+--- request
+GET /t
+--- response_body
+passed
+
+
+
+=== TEST 4: set route
+--- config
+    location /t {
+        content_by_lua_block {
+            local t = require("lib.test_admin").test
+            local code, body = t('/apisix/admin/routes/2',
+                 ngx.HTTP_PUT,
+                 [[{
+                        "upstream": {
+                            "nodes": {
+                                "127.0.0.1:1980": 1
+                            },
+                            "type": "roundrobin"
+                        },
+                        "uri": "/hello"
+                }]]
+                )
+
+            if code >= 300 then
+                ngx.status = code
+            end
+            ngx.say(body)
+        }
+    }
+--- request
+GET /t
+--- response_body
+passed
+
+
+
+=== TEST 5: access to https with test.com
+--- exec
+curl -s -k https://test.com:1994/hello
+--- response_body
+hello world
+--- error_log
+fetching data from secret uri
+fetching data from secret uri
+fetching data from secret uri
+fetching data from secret uri
+
+
+
+=== TEST 6: set ssl with two certs and keys in env
+--- config
+    location /t {
+        content_by_lua_block {
+            local core = require("apisix.core")
+            local t = require("lib.test_admin")
+
+            local data = {
+                snis = {"test.com"},
+                key =  "$env://TEST_KEY",
+                cert = "$env://TEST_CERT",
+                keys = {"$env://TEST2_KEY"},
+                certs = {"$env://TEST2_CERT"}
+            }
+
+            local code, body = t.test('/apisix/admin/ssls/1',
+                ngx.HTTP_PUT,
+                core.json.encode(data),
+                [[{
+                    "value": {
+                        "snis": ["test.com"],
+                        "key": "$env://TEST_KEY",
+                        "cert": "$env://TEST_CERT",
+                        "keys": ["$env://TEST2_KEY"],
+                        "certs": ["$env://TEST2_CERT"]
+                    },
+                    "key": "/apisix/ssls/1"
+                }]]
+              )
+
+            ngx.status = code
+            ngx.say(body)
+        }
+    }
+--- request
+GET /t
+--- response_body
+passed
+
+
+
+=== TEST 7: access to https with test.com
+--- exec
+curl -s -k https://test.com:1994/hello
+--- response_body
+hello world
+--- error_log
+fetching data from env uri
+fetching data from env uri
+fetching data from env uri
+fetching data from env uri