diff --git a/pkg/apis/networking/register.go b/pkg/apis/networking/register.go
index e88e9b5c0..4a7a82bc4 100644
--- a/pkg/apis/networking/register.go
+++ b/pkg/apis/networking/register.go
@@ -119,6 +119,10 @@ const (
 	// already using labels for domain, it probably best to keep this
 	// consistent.
 	VisibilityLabelKey = PublicGroupName + "/visibility"
+
+	// CertificateTypeLabelKey is the label to indicate the type of Knative certificate
+	// used for Knative Serving encryption functionality.
+	CertificateTypeLabelKey = PublicGroupName + "/certificate-type"
 )
 
 // Pseudo-constants
diff --git a/pkg/config/config.go b/pkg/config/config.go
index 028937067..849753542 100644
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -67,12 +67,6 @@ const (
 	// Certificate reconciler.
 	CertManagerCertificateClassName = "cert-manager.certificate.networking.knative.dev"
 
-	// ServingInternalCertName is the name of secret contains certificates in serving
-	// system namespace.
-	//
-	// Deprecated: ServingInternalCertName is deprecated. Use ServingRoutingCertName instead.
-	ServingInternalCertName = "knative-serving-certs"
-
 	// ServingRoutingCertName is the name of secret contains certificates for Routing data in serving
 	// system namespace. (Used by Ingress GWs and Activator)
 	ServingRoutingCertName = "routing-serving-certs"
@@ -148,6 +142,20 @@ const (
 	SystemInternalTLSKey = "system-internal-tls"
 )
 
+// CertificateType indicates the type of Knative Certificate.
+type CertificateType string
+
+const (
+	// CertificateSystemInternal defines a certificate used for `system-internal-tls`
+	CertificateSystemInternal CertificateType = "system-internal"
+
+	// CertificateClusterLocalDomain defines a certificate used for `cluster-local-domain-tls`.
+	CertificateClusterLocalDomain CertificateType = "cluster-local-domain"
+
+	// CertificateExternalDomain defines a cerificate used for `external-domain-tls`.
+	CertificateExternalDomain CertificateType = "external-domain"
+)
+
 // EncryptionConfig indicates the encryption configuration
 // used for TLS connections.
 type EncryptionConfig string