Add Custom CA Certificates#

This guide explains how to add custom Certificate Authority (CA) certificates to your Dioptra deployment. This is necessary when operating in environments with internal certificate authorities or when connecting to services that use certificates signed by non-public CAs.

Prerequisites#

  • Prepare Your Deployment - A configured Dioptra deployment (before running init-deployment.sh)

  • CA certificate file(s) in PEM format

Adding Certificates#

Step 1: Prepare Certificate Files#

Ensure your CA certificate files meet the following requirements:

  • PEM format: Each certificate must be encoded using base64 and stored in a plain text file between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.

  • One certificate per file: Each file should contain only one CA certificate. Do not bundle multiple CA certificates together.

  • File extension: Each file must have the .crt extension (e.g., ca-root.crt). If your certificate has a different extension (such as .pem), rename it to .crt.

Step 2: Copy Certificates to the Deployment#

Copy your CA certificate files into the ssl/ca-certificates/ folder in your deployment directory:

cp /path/to/your/ca-certificate.crt ./ssl/ca-certificates/

You can add multiple CA certificates by copying additional files:

cp /path/to/another-ca.crt ./ssl/ca-certificates/

Step 3: Run the Initialization Script#

The deployment initialization scripts will automatically look for extra CA certificates in the ssl/ca-certificates/ folder and copy and bundle them into named volumes so they are available at runtime.

Run the initialization script:

./init-deployment.sh --branch <branch-name>

Note

Replace <branch-name> with the Dioptra branch that matches your container images (e.g., main for releases, dev for development builds).

The script will process all .crt files in the ssl/ca-certificates/ folder and make them available to all containers.

Learn More

See the README.md file in the ssl/ca-certificates/ folder for additional details.

See Also#