You are viewing documentation for version 1.21.x.
The most current version is 1.26.x. This documentation is available for 1.26.x.
pki
Settings related to Custom CA Certificates (
settings.pki.*
)By default, Bottlerocket ships with the Mozilla CA certificate store, but you can add self-signed certificates with settings.pki.<bundle name>
.
Tip
If your user data is over the size limit for the platform, you can use apiclient
with this setting from within a bootstrap container to add certificates.
Setting list for settings.pki
Full Reference
settings.pki.<bundle-name>.data
A Base64-encoded PEM-formatted certificate bundle; this setting can contain more than one certificate.
Note
Defining a certificate bundle with data
but without trusted
results in an untrusted bundle.
[settings.pki.some-bundle]
data="W3N..."
apiclient set pki.some-bundle.data="W3N..."
settings.pki.<bundle-name>.trusted
Defines if the bundle in <bundle-name>
should be trusted.
Default: false
[settings.pki.my-trusted-bundle]
data="W3N..."
trusted=true
[settings.pki.dont-trust-these]
data="W3N..."
trusted=false
apiclient set \
pki.my-trusted-bundle.data="W3N..." \
pki.my-trusted-bundle.trusted=true \
pki.dont-trust-these.data="N3W..." \
pki.dont-trust-there.trusted=false