pki
Settings related to Custom CA Certificates (
settings.pki.*)By default, Bottlerocket ships with the Mozilla CA certificate store, but you can add self-signed certificates with settings.pki.<bundle name>.
Tip
If your user data is over the size limit for the platform, you can use apiclient with this setting from within a bootstrap container to add certificates.
Setting list for settings.pki
Full Reference
settings.pki.<bundle-name>.data
A Base64-encoded PEM-formatted certificate bundle; this setting can contain more than one certificate.
Note
Defining a certificate bundle with data but without trusted results in an untrusted bundle.
[settings.pki.some-bundle]
data="W3N..."
apiclient set pki.some-bundle.data="W3N..."
settings.pki.<bundle-name>.trusted
Defines if the bundle in <bundle-name> should be trusted.
Default: false
[settings.pki.my-trusted-bundle]
data="W3N..."
trusted=true
[settings.pki.dont-trust-these]
data="W3N..."
trusted=false
apiclient set \
pki.my-trusted-bundle.data="W3N..." \
pki.my-trusted-bundle.trusted=true \
pki.dont-trust-these.data="N3W..." \
pki.dont-trust-there.trusted=false