diff --git a/apisix/schema_def.lua b/apisix/schema_def.lua
index 2d26a3b8f9a2..bae273c96a17 100644
--- a/apisix/schema_def.lua
+++ b/apisix/schema_def.lua
@@ -727,15 +727,15 @@ _M.ssl = {
         },
         cert = {
             oneOf = {
-                { type = "string", minLength = 128, maxLength = 64*1024},
+                certificate_scheme,
                 -- TODO: uniformly define the schema of secret_uri
-                { type = "string", pattern = "^\\$secret://"}
+                { type = "string", pattern = "^\\$(secret|env)://"}
             }
         },
         key = {
             oneOf = {
-                { type = "string", minLength = 128, maxLength = 64*1024},
-                { type = "string", pattern = "^\\$secret://"}
+                private_key_schema,
+                { type = "string", pattern = "^\\$(secret|env)://"}
             }
         },
         sni = {
diff --git a/apisix/secret.lua b/apisix/secret.lua
index 04bf4bb1bf4d..3d4c33dd9c91 100644
--- a/apisix/secret.lua
+++ b/apisix/secret.lua
@@ -116,7 +116,8 @@ local function check_secret_uri(secret_uri)
         return false, "error secret_uri type: " .. type(secret_uri)
     end
 
-    if not string.has_prefix(secret_uri, PREFIX) then
+    if not string.has_prefix(upper(secret_uri), PREFIX) and
+        not string.has_prefix(upper(secret_uri), core.env.PREFIX) then
         return false, "error secret_uri prefix: " .. secret_uri
     end
 
diff --git a/apisix/ssl.lua b/apisix/ssl.lua
index 882b56a47d9e..b1575f3fd7cf 100644
--- a/apisix/ssl.lua
+++ b/apisix/ssl.lua
@@ -253,8 +253,8 @@ function _M.check_ssl_conf(in_dp, conf)
         end
     end
 
-    -- if the certificate uses a secret reference, we only verify it when using it
-    if not secret.check_secret_uri(conf.cert) and
+    -- if the certificate or key uses a secret reference, we only verify it when using it
+    if not secret.check_secret_uri(conf.cert) or
         not secret.check_secret_uri(conf.key) then
 
         local ok, err = validate(conf.cert, conf.key)
@@ -274,7 +274,7 @@ function _M.check_ssl_conf(in_dp, conf)
     end
 
     for i = 1, numcerts do
-        if not secret.check_secret_uri(conf.cert[i]) and
+        if not secret.check_secret_uri(conf.cert[i]) or
             not secret.check_secret_uri(conf.key[i]) then
 
             local ok, err = validate(conf.certs[i], conf.keys[i])
diff --git a/t/router/radixtree-sni2.t b/t/router/radixtree-sni2.t
index 01460c8a79d6..50eed9297632 100644
--- a/t/router/radixtree-sni2.t
+++ b/t/router/radixtree-sni2.t
@@ -578,7 +578,7 @@ GET /t
             local code, body = t('/apisix/admin/ssls/1',
                 ngx.HTTP_PUT,
                 [[{
-                     "cert": "$secret://vault/test1/ssl/test2.com.crt",
+                    "cert": "$secret://vault/test1/ssl/test2.com.crt",
                     "key": "$secret://vault/test1/ssl/test2.com.key",
                     "sni": "test2.com"
                 }]]