Version v1.10 of the documentation is for the Talos version being developed. For the latest stable version of Talos, see the latest version.

Custom Certificate Authorities

How to supply custom certificate authorities

Appending the Certificate Authority

Append additional certificate authorities to the system’s trusted certificate store by patching the machine configuration with the following document:

apiVersion: v1alpha1
kind: TrustedRootsConfig
name: custom-ca
certificates: |-
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----

Multiple documents can be appended, and multiple CA certificates might be present in each configuration document.

This configuration can be also applied in maintenance mode.

Please note that if the STATE partition is encrypted, the CA certificates will be only be loaded after the partition is unlocked. So the encryption method should allow unlocking the partition without the need for a CA certificate.

Last modified March 18, 2025: docs: clarify custom CA certificate with KMS STATE encryption (857779b90)