diff --git a/pkg/route/hostassignment/assignment.go b/pkg/route/hostassignment/assignment.go
index 40335d5a3f..c210fa86c1 100644
--- a/pkg/route/hostassignment/assignment.go
+++ b/pkg/route/hostassignment/assignment.go
@@ -109,7 +109,7 @@ func hasCertificateInfo(tls *routev1.TLSConfig, opts route.RouteValidationOption
 // certificateChangeRequiresAuth determines whether changes to the TLS certificate configuration require authentication.
 // Note: If either route uses externalCertificate, this function always returns true, as we cannot definitively verify if
 // the content of the referenced secret has been modified. Even if the secret name remains the same,
-// we must assume that the secret content is changed, necessitating authentication.
+// we must assume that the secret content is changed, necessitating authorization.
 func certificateChangeRequiresAuth(route, older *routev1.Route, opts route.RouteValidationOptions) bool {
 	switch {
 	case route.Spec.TLS != nil && older.Spec.TLS != nil:
diff --git a/pkg/route/hostassignment/assignment_test.go b/pkg/route/hostassignment/assignment_test.go
index b0b8c32bec..727012a83f 100644
--- a/pkg/route/hostassignment/assignment_test.go
+++ b/pkg/route/hostassignment/assignment_test.go
@@ -219,6 +219,28 @@ func TestHostWithWildcardPolicies(t *testing.T) {
 			allow:          false,
 			errs:           1,
 		},
+		{
+			name:           "create-with-external-certificate-denied",
+			host:           "host",
+			expected:       "host",
+			tls:            &routev1.TLSConfig{Termination: routev1.TLSTerminationEdge, ExternalCertificate: &routev1.LocalObjectReference{Name: "b"}},
+			wildcardPolicy: routev1.WildcardPolicyNone,
+			allow:          false,
+			errs:           1,
+
+			opts: route.RouteValidationOptions{AllowExternalCertificates: true},
+		},
+		{
+			name:           "create-with-external-certificate-allowed",
+			host:           "host",
+			expected:       "host",
+			tls:            &routev1.TLSConfig{Termination: routev1.TLSTerminationEdge, ExternalCertificate: &routev1.LocalObjectReference{Name: "b"}},
+			wildcardPolicy: routev1.WildcardPolicyNone,
+			allow:          true,
+			errs:           0,
+
+			opts: route.RouteValidationOptions{AllowExternalCertificates: true},
+		},
 		{
 			name:           "no-certificate-changed-to-external-certificate-denied",
 			host:           "host",