diff --git a/config/config-network.yaml b/config/config-network.yaml
index 2aa366a4b..0bdc75e0e 100644
--- a/config/config-network.yaml
+++ b/config/config-network.yaml
@@ -23,7 +23,7 @@ metadata:
     app.kubernetes.io/version: devel
     serving.knative.dev/release: devel
   annotations:
-    knative.dev/example-checksum: "ddc3250f"
+    knative.dev/example-checksum: "7c86cb6a"
 data:
   _example: |
     ################################
@@ -183,7 +183,7 @@ data:
     activator-ca: ""
 
     # The SAN (Subject Alt Name) used to validate the activator TLS certificate.
-    # It is available only when "activator-ca" is specified.
+    # It must be set when "activator-ca" is specified.
     # Use an empty value to disable the feature (default).
     #
     # NOTE: This flag is in an alpha state and is mostly here to enable internal testing
diff --git a/pkg/network.go b/pkg/network.go
index 522b437fd..26a2633ca 100644
--- a/pkg/network.go
+++ b/pkg/network.go
@@ -447,6 +447,15 @@ func NewConfigFromMap(data map[string]string) (*Config, error) {
 	default:
 		return nil, fmt.Errorf("httpProtocol %s in config-network ConfigMap is not supported", data[HTTPProtocolKey])
 	}
+
+	if nc.ActivatorCA != "" && nc.ActivatorSAN == "" {
+		return nil, fmt.Errorf("%q must be set when %q was set", ActivatorSANKey, ActivatorCAKey)
+	}
+
+	if nc.ActivatorCA == "" && nc.ActivatorSAN != "" {
+		return nil, fmt.Errorf("%q must be set when %q was set", ActivatorCAKey, ActivatorSANKey)
+	}
+
 	return nc, nil
 }
 
diff --git a/pkg/network_test.go b/pkg/network_test.go
index c34df9069..d63c58ad5 100644
--- a/pkg/network_test.go
+++ b/pkg/network_test.go
@@ -285,6 +285,31 @@ func TestConfiguration(t *testing.T) {
 			c.DefaultExternalScheme = "https"
 			return c
 		}(),
+	}, {
+		name: "network configuration with activator-ca and activator-san",
+		data: map[string]string{
+			ActivatorCAKey:  "test-ca",
+			ActivatorSANKey: "test-san",
+		},
+		wantErr: false,
+		wantConfig: func() *Config {
+			c := defaultConfig()
+			c.ActivatorCA = "test-ca"
+			c.ActivatorSAN = "test-san"
+			return c
+		}(),
+	}, {
+		name: "network configuration with activator-ca and missing activator-san",
+		data: map[string]string{
+			ActivatorCAKey: "test-ca",
+		},
+		wantErr: true,
+	}, {
+		name: "network configuration with activator-san and missing activator-ca",
+		data: map[string]string{
+			ActivatorCAKey: "test-san",
+		},
+		wantErr: true,
 	}, {
 		name: "legacy keys",
 		data: map[string]string{