diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9780eccfb1a98..3468f5768a530 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,6 +14,7 @@ Please avoid adding duplicate information across this changelog and JIRA/doc inp
 - ROX-13493: Support for scale subresource in the admission controller to enable policy detection and enforcement on admission review requests on the scale subresource.
 - RHPF-98: Log creation of API token. The token creation log message will trigger an administration event.
 - ROX-28716: New policy criterion "Days Since CVE Was Published" to allow creation of a policy that offers a grace period to teams to fix vulnerabilities within the number of days from when the CVE was published in the vulnerability feeds.
+- ROX-28296: Support for an OpenShift reencrypt route to expose Central (`central.exposure.route.reencrypt.enabled: true`).
 
 ### Removed Features
 
diff --git a/image/templates/helm/stackrox-central/internal/config-shape.yaml b/image/templates/helm/stackrox-central/internal/config-shape.yaml
index e5d3c056b0294..a3bbaa35c9aac 100644
--- a/image/templates/helm/stackrox-central/internal/config-shape.yaml
+++ b/image/templates/helm/stackrox-central/internal/config-shape.yaml
@@ -71,6 +71,14 @@ central:
     route:
       enabled: null # bool
       host: null # string
+      reencrypt:
+        enabled: null # bool
+        host: null # string
+        tls:
+          caCertificate: null # string
+          certificate: null # string
+          destinationCACertificate: null # string
+          key: null # string
   declarativeConfiguration:
     mounts:
       configMaps: null # [string]
diff --git a/image/templates/helm/stackrox-central/internal/defaults.yaml.htpl b/image/templates/helm/stackrox-central/internal/defaults.yaml.htpl
index 02bbfe18b90ae..04a96db933c1d 100644
--- a/image/templates/helm/stackrox-central/internal/defaults.yaml.htpl
+++ b/image/templates/helm/stackrox-central/internal/defaults.yaml.htpl
@@ -69,9 +69,10 @@ defaults:
         port: 443
       nodePort:
         enabled: false
-        port: null
       route:
         enabled: false
+        reencrypt:
+          enabled: false
     db:
       external: false
 
diff --git a/image/templates/helm/stackrox-central/templates/01-central-15-exposure.yaml b/image/templates/helm/stackrox-central/templates/01-central-15-exposure.yaml
index 9bfdbbb8d72b1..f0678cf55e9b3 100644
--- a/image/templates/helm/stackrox-central/templates/01-central-15-exposure.yaml
+++ b/image/templates/helm/stackrox-central/templates/01-central-15-exposure.yaml
@@ -12,7 +12,7 @@ metadata:
     {{- include "srox.annotations" (list . "route" "central") | nindent 4 }}
 spec:
 {{- if ._rox.central.exposure.route.host }}
-  host: {{ ._rox.central.exposure.route.host }}
+  host: {{ ._rox.central.exposure.route.host | quote }}
 {{- end }}
   port:
     targetPort: https
@@ -41,6 +41,50 @@ spec:
     kind: Service
     name: central
 ---
+
+{{ $reencryptConfig := ._rox.central.exposure.route.reencrypt }}
+{{- if $reencryptConfig.enabled }}
+apiVersion: route.openshift.io/v1
+kind: Route
+metadata:
+  name: central-reencrypt
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "srox.labels" (list . "route" "central-reencrypt") | nindent 4 }}
+  annotations:
+    {{- include "srox.annotations" (list . "route" "central-reencrypt") | nindent 4 }}
+spec:
+{{- if $reencryptConfig.host }}
+  host: {{ $reencryptConfig.host | quote }}
+{{- end }}
+  port:
+    targetPort: https
+  tls:
+    termination: reencrypt
+    {{- with $reencryptConfig.tls }}
+    {{- if .caCertificate }}
+    caCertificate: |
+      {{- .caCertificate | nindent 6 }}
+    {{- end }}
+    {{- if .certificate }}
+    certificate: |
+      {{- .certificate | nindent 6 }}
+    {{- end }}
+    {{- if .destinationCACertificate }}
+    destinationCACertificate: |
+      {{- .destinationCACertificate | nindent 6 }}
+    {{- end }}
+    {{- if .key }}
+    key: |
+      {{- .key | nindent 6 }}
+    {{- end }}
+    {{- end }}
+  to:
+    kind: Service
+    name: central
+---
+{{- end }}
+
 {{- end }}
 
 {{- if ._rox.central.exposure.nodePort.enabled }}
diff --git a/image/templates/helm/stackrox-central/templates/_init.tpl.htpl b/image/templates/helm/stackrox-central/templates/_init.tpl.htpl
index 0e75a60c19ad7..2d98a2dda2da1 100644
--- a/image/templates/helm/stackrox-central/templates/_init.tpl.htpl
+++ b/image/templates/helm/stackrox-central/templates/_init.tpl.htpl
@@ -208,6 +208,24 @@
 {{ end }}
 {{ $_ = set $._rox "_additionalCAs" $additionalCAs }}
 
+{{/* Route configuration */}}
+{{ $reencryptConfig := $._rox.central.exposure.route.reencrypt }}
+{{ if $reencryptConfig.enabled }}
+  {{/* Default the destination CA certificate to the Central CA. */}}
+  {{ if kindIs "invalid" $reencryptConfig.tls.destinationCACertificate }}
+    {{ if kindIs "invalid" $._rox._ca.Cert }}
+      {{ include "srox.warn" (list $ "The reencrypt route does not specify a destination certificate authority. Routing may be impaired.") }}
+    {{ else }}
+      {{ $_ := set $reencryptConfig.tls "destinationCACertificate" $._rox._ca.Cert }}
+    {{ end }}
+  {{ end }}
+  {{ if and (kindIs "invalid" $reencryptConfig.tls.certificate) (kindIs "invalid" $reencryptConfig.tls.key) }}
+    {{ include "srox.note" (list $ "The reencrypt route will serve a certificate signed by the OpenShift certificate authority.") }}
+  {{ else if or $reencryptConfig.tls.certificate $reencryptConfig.tls.key }}
+    {{ include "srox.fail" "The reencrypt route must specify either both, certificate and key, or neither." }}
+  {{ end }}
+{{ end }}
+
 {{/* Proxy configuration.
      Note: The reason this is different is that unlike the endpoints config, the proxy configuration
      might contain sensitive data and thus might _not_ be stored in the always available canonical
diff --git a/image/templates/helm/stackrox-central/values-public.yaml.example.htpl b/image/templates/helm/stackrox-central/values-public.yaml.example.htpl
index a79ada2f6c665..bc462ddb9fa6e 100644
--- a/image/templates/helm/stackrox-central/values-public.yaml.example.htpl
+++ b/image/templates/helm/stackrox-central/values-public.yaml.example.htpl
@@ -226,9 +226,17 @@
 #       # letting Kubernetes automatically select a node port (recommended).
 #       port: 32000
 #
-#     # Exposure via an OpenShift route. Only available for OpenShift clusters
+#     # Exposure via an OpenShift passthrough route. Sensor must communicate with Central
+#     # via a passthrough route because of mutual TLS encryption.
+#     # Only available for OpenShift clusters.
 #     route:
 #       enabled: true
+#       # Exposure via an OpenShift reencrypt route. The route serves a certificate that was
+#       # signed by the OpenShift certificate authority. The reencrypt route cannot be used
+#       # for communication between Sensor and Central because of mutual TLS encryption.
+#       # Only available for OpenShift clusters.
+#       reencrypt:
+#         enabled: true
 #
 #     # Additional volume mounts for the Central container. Only few people will require this.
 #     extraMounts: