diff --git a/config/config-network.yaml b/config/config-network.yaml
index 025a7f1b8..132418014 100644
--- a/config/config-network.yaml
+++ b/config/config-network.yaml
@@ -22,7 +22,7 @@ metadata:
     app.kubernetes.io/component: networking
     app.kubernetes.io/version: devel
   annotations:
-    knative.dev/example-checksum: "8cbfa515"
+    knative.dev/example-checksum: "b2698fe8"
 data:
   _example: |
     ################################
@@ -133,10 +133,10 @@ data:
     #       for now. Use with caution.
     cluster-local-domain-tls: "Disabled"
 
-    # internal-encryption is deprecated and replaced by knative-internal-tls
+    # internal-encryption is deprecated and replaced by system-internal-tls
     internal-encryption: "false"
 
-    # knative-internal-tls controls weather TLS encryption is used for connections between
+    # system-internal-tls controls weather TLS encryption is used for connections between
     # the internal components of Knative:
     # - ingress to activator
     # - ingress to queue-proxy
@@ -147,7 +147,7 @@ data:
     # - Disabled: disables the TLS certificate provisioning feature for cluster cluster local domains.
     # NOTE: This flag is in an alpha state and is mostly here to enable internal testing
     #       for now. Use with caution.
-    knative-internal-tls: "Disabled"
+    system-internal-tls: "Disabled"
 
     # Controls the behavior of the HTTP endpoint for the Knative ingress.
     # It requires auto-tls to be enabled.
diff --git a/pkg/config/config.go b/pkg/config/config.go
index 03f62cd57..e65570e4a 100644
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -145,12 +145,12 @@ const (
 
 	// InternalEncryptionKey is the name of the configuration whether
 	// internal traffic is encrypted or not.
-	// Deprecated: please use KnativeInternalTLSKey.
+	// Deprecated: please use SystemInternalTLSKey.
 	InternalEncryptionKey = "internal-encryption"
 
-	// KnativeInternalTLSKey is the name of the configuration whether
-	// knative internal traffic is encrypted or not.
-	KnativeInternalTLSKey = "knative-internal-tls"
+	// SystemInternalTLSKey is the name of the configuration whether
+	// traffic between Knative system components is encrypted or not.
+	SystemInternalTLSKey = "system-internal-tls"
 )
 
 // EncryptionConfig indicates the encryption configuration
@@ -294,11 +294,11 @@ type Config struct {
 	DefaultExternalScheme string
 
 	// InternalEncryption specifies whether internal traffic is encrypted or not.
-	// Deprecated: please use KnativeInternalTLSKey instead.
+	// Deprecated: please use SystemInternalTLSKey instead.
 	InternalEncryption bool
 
-	// KnativeInternalTLS specifies whether knative internal traffic is encrypted or not.
-	KnativeInternalTLS EncryptionConfig
+	// SystemInternalTLS specifies whether knative internal traffic is encrypted or not.
+	SystemInternalTLS EncryptionConfig
 
 	// ClusterLocalDomainTLS specifies whether cluster-local traffic is encrypted or not.
 	ClusterLocalDomainTLS EncryptionConfig
@@ -318,7 +318,7 @@ func defaultConfig() *Config {
 		DefaultExternalScheme:         "http",
 		MeshCompatibilityMode:         MeshCompatibilityModeAuto,
 		InternalEncryption:            false,
-		KnativeInternalTLS:            EncryptionDisabled,
+		SystemInternalTLS:             EncryptionDisabled,
 		ClusterLocalDomainTLS:         EncryptionDisabled,
 	}
 }
@@ -422,23 +422,23 @@ func NewConfigFromMap(data map[string]string) (*Config, error) {
 		return nil, fmt.Errorf("httpProtocol %s in config-network ConfigMap is not supported", data[HTTPProtocolKey])
 	}
 
-	switch strings.ToLower(data[KnativeInternalTLSKey]) {
+	switch strings.ToLower(data[SystemInternalTLSKey]) {
 	case "", string(EncryptionDisabled):
-		// If KnativeInternalTLSKey is not set in the config-network, default is already
+		// If SystemInternalTLSKey is not set in the config-network, default is already
 		// set to EncryptionDisabled.
 		if nc.InternalEncryption {
 			// Backward compatibility
-			nc.KnativeInternalTLS = EncryptionEnabled
+			nc.SystemInternalTLS = EncryptionEnabled
 		}
 	case string(EncryptionEnabled):
-		nc.KnativeInternalTLS = EncryptionEnabled
+		nc.SystemInternalTLS = EncryptionEnabled
 
 		// The new key takes precedence, but we support compatibility
 		// for code that has not updated to the new field yet.
 		nc.InternalEncryption = true
 	default:
 		return nil, fmt.Errorf("%s with value: %q in config-network ConfigMap is not supported",
-			KnativeInternalTLSKey, data[KnativeInternalTLSKey])
+			SystemInternalTLSKey, data[SystemInternalTLSKey])
 	}
 
 	switch strings.ToLower(data[ClusterLocalDomainTLSKey]) {
@@ -456,14 +456,14 @@ func NewConfigFromMap(data map[string]string) (*Config, error) {
 }
 
 // InternalTLSEnabled returns whether InternalEncryption is enabled or not.
-// Deprecated: please use KnativeInternalTLSEnabled()
+// Deprecated: please use SystemInternalTLSEnabled()
 func (c *Config) InternalTLSEnabled() bool {
-	return tlsEnabled(c.KnativeInternalTLS)
+	return tlsEnabled(c.SystemInternalTLS)
 }
 
-// KnativeInternalTLSEnabled returns whether KnativeInternalTLS is enabled or not.
-func (c *Config) KnativeInternalTLSEnabled() bool {
-	return tlsEnabled(c.KnativeInternalTLS)
+// SystemInternalTLSEnabled returns whether SystemInternalTLS is enabled or not.
+func (c *Config) SystemInternalTLSEnabled() bool {
+	return tlsEnabled(c.SystemInternalTLS)
 }
 
 func tlsEnabled(encryptionConfig EncryptionConfig) bool {
diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go
index d14564a80..88f1ce64e 100644
--- a/pkg/config/config_test.go
+++ b/pkg/config/config_test.go
@@ -330,36 +330,36 @@ func TestConfiguration(t *testing.T) {
 		wantConfig: func() *Config {
 			c := defaultConfig()
 			c.InternalEncryption = true
-			c.KnativeInternalTLS = EncryptionEnabled
+			c.SystemInternalTLS = EncryptionEnabled
 			return c
 		}(),
 	}, {
-		name: "knative-internal-tls with invalid configuration value",
+		name: "system-internal-tls with invalid configuration value",
 		data: map[string]string{
-			KnativeInternalTLSKey: "wrong",
+			SystemInternalTLSKey: "wrong",
 		},
 		wantErr: true,
 	}, {
-		name: "knative-internal-tls with encryption disabled",
+		name: "system-internal-tls with encryption disabled",
 		data: map[string]string{
-			KnativeInternalTLSKey: "disabled",
+			SystemInternalTLSKey: "disabled",
 		},
 		wantErr: false,
 		wantConfig: func() *Config {
 			c := defaultConfig()
-			c.KnativeInternalTLS = EncryptionDisabled
+			c.SystemInternalTLS = EncryptionDisabled
 			c.InternalEncryption = false
 			return c
 		}(),
 	}, {
-		name: "knative-internal-tls with encryption enabled",
+		name: "system-internal-tls with encryption enabled",
 		data: map[string]string{
-			KnativeInternalTLSKey: "enabled",
+			SystemInternalTLSKey: "enabled",
 		},
 		wantErr: false,
 		wantConfig: func() *Config {
 			c := defaultConfig()
-			c.KnativeInternalTLS = EncryptionEnabled
+			c.SystemInternalTLS = EncryptionEnabled
 			c.InternalEncryption = true
 			return c
 		}(),
@@ -420,7 +420,7 @@ func TestConfiguration(t *testing.T) {
 
 			// This is defaulted
 			MeshCompatibilityMode: MeshCompatibilityModeAuto,
-			KnativeInternalTLS:    EncryptionDisabled,
+			SystemInternalTLS:     EncryptionDisabled,
 			ClusterLocalDomainTLS: EncryptionDisabled,
 		},
 	}, {
@@ -463,7 +463,7 @@ func TestConfiguration(t *testing.T) {
 
 			// This is defaulted
 			MeshCompatibilityMode: MeshCompatibilityModeAuto,
-			KnativeInternalTLS:    EncryptionDisabled,
+			SystemInternalTLS:     EncryptionDisabled,
 			ClusterLocalDomainTLS: EncryptionDisabled,
 		},
 	}}