diff --git a/pkg/apis/networking/register.go b/pkg/apis/networking/register.go
index 4a7a82bc4..342560f74 100644
--- a/pkg/apis/networking/register.go
+++ b/pkg/apis/networking/register.go
@@ -121,7 +121,7 @@ const (
 	VisibilityLabelKey = PublicGroupName + "/visibility"
 
 	// CertificateTypeLabelKey is the label to indicate the type of Knative certificate
-	// used for Knative Serving encryption functionality.
+	// used for Knative Serving encryption functionality. Corresponding values are defined in config.CertificateType.
 	CertificateTypeLabelKey = PublicGroupName + "/certificate-type"
 )
 
diff --git a/pkg/apis/networking/v1alpha1/ingress_helpers.go b/pkg/apis/networking/v1alpha1/ingress_helpers.go
index e8ea7c17b..f3e015b05 100644
--- a/pkg/apis/networking/v1alpha1/ingress_helpers.go
+++ b/pkg/apis/networking/v1alpha1/ingress_helpers.go
@@ -17,12 +17,11 @@ limitations under the License.
 package v1alpha1
 
 import (
-	"github.com/google/go-cmp/cmp"
-	"github.com/google/go-cmp/cmp/cmpopts"
+	"slices"
 )
 
-// GetIngressTLSForVisibility returns a list of `Spec.TLS` where the `Hosts` field matches
-// to `Spec.Rules.Hosts` and where the Rules have the defined ingress visibility.
+// GetIngressTLSForVisibility returns a list of `Spec.TLS` where each host in the `Rules.Hosts` field is
+// present in `Spec.TLS.Hosts` and where the Rules have the defined ingress visibility.
 // This method can be used in net-* implementations to select the correct `IngressTLS` entries
 // for cluster-local and cluster-external gateways/listeners.
 func (i *Ingress) GetIngressTLSForVisibility(visibility IngressVisibility) []IngressTLS {
@@ -32,12 +31,21 @@ func (i *Ingress) GetIngressTLSForVisibility(visibility IngressVisibility) []Ing
 		return ingressTLS
 	}
 
-	for _, r := range i.Spec.Rules {
-		if r.Visibility == visibility {
-			for _, t := range i.Spec.TLS {
-				// Check if hosts slices are equal ignoring the order
-				if cmp.Diff(r.Hosts, t.Hosts, cmpopts.SortSlices(func(a, b string) bool { return a < b })) == "" {
-					ingressTLS = append(ingressTLS, t)
+	for _, rule := range i.Spec.Rules {
+		if rule.Visibility == visibility {
+			if rule.Hosts == nil || len(rule.Hosts) == 0 {
+				return ingressTLS
+			}
+
+			for _, tls := range i.Spec.TLS {
+				containsAllRuleHosts := true
+				for _, h := range rule.Hosts {
+					if !slices.Contains(tls.Hosts, h) {
+						containsAllRuleHosts = false
+					}
+				}
+				if containsAllRuleHosts {
+					ingressTLS = append(ingressTLS, tls)
 				}
 			}
 		}
diff --git a/pkg/apis/networking/v1alpha1/ingress_helpers_test.go b/pkg/apis/networking/v1alpha1/ingress_helpers_test.go
index abd138f16..4b9004a3a 100644
--- a/pkg/apis/networking/v1alpha1/ingress_helpers_test.go
+++ b/pkg/apis/networking/v1alpha1/ingress_helpers_test.go
@@ -135,6 +135,29 @@ func TestGetIngressTLSForVisibility(t *testing.T) {
 			},
 		},
 		want: make([]IngressTLS, 0),
+	}, {
+		name:       "matching entries with additional hosts in TLS block",
+		visibility: IngressVisibilityClusterLocal,
+		ingress: &Ingress{
+			Spec: IngressSpec{
+				Rules: []IngressRule{
+					{
+						Hosts:      []string{"expected"},
+						Visibility: IngressVisibilityClusterLocal,
+					},
+					{
+						Hosts:      []string{"other", "entries"},
+						Visibility: IngressVisibilityExternalIP,
+					},
+				},
+				TLS: []IngressTLS{
+					{Hosts: []string{"expected", "additional"}},
+				},
+			},
+		},
+		want: []IngressTLS{
+			{Hosts: []string{"expected", "additional"}},
+		},
 	}}
 
 	for _, test := range tests {