Add trusted certificate authorities

Learn how to add custom trusted certificate authorities to the StackRox Kubernetes Security Platform.

If you are using an enterprise certificate authority (CA) on your network, or self-signed certificates, you must add the CA’s root certificate to the StackRox Kubernetes Security Platform as a trusted root CA.

Adding trusted root CAs allows:

  • Central and Scanner to trust remote servers when you integrate with other tools.
  • Sensor to trust custom certificates you use for StackRox Central.

You can add additional CAs during the installation or on an existing StackRox deployment. You must first configure your trusted CAs in the cluster where you’ve deployed StackRox Central and then propagate the changes to Scanner and Sensor.

1. Configure additional CAs

To add custom CAs:

  1. Use the ca-setup.sh script.

    • If you are doing a new installation, you can find the ca-setup.sh script in the scripts directory at central-bundle/central/scripts/ca-setup.sh.
    • You must run the ca-setup.sh script in the same terminal from which you logged into your Kubernetes or OpenShift cluster.
  2. Make the ca-setup.sh script executable.

    Copy
    chmod +x ca-setup.sh
  3. To add a single certificate, use the -f (file) option:

    Copy
    ./ca-setup.sh -f <certificate>

    You must use a PEM-encoded certificate file (with any extension).

  4. To add multiple certificates at once, move all certificates in a directory, and then use the -d (directory) option:

    Copy
    ./ca-setup.sh -d <directory-name>

    You must use PEM-encoded certificate files with .crt extension and each file should only contain a single certificate.

  5. You can also use the -u (update) option along with the file or directory options to update any previously added certificates.

2. Propagate changes

After you configure trusted CAs, you must make StackRox services trust them.

Central and Scanner

If you’ve configured trusted CAs before deploying Central and Scanner, skip the following steps and continue with the instructions in the Sensor section.

If you’ve configured trusted CAs after installation, you must complete the following instructions:

  1. Restart Central to apply changes.

    Copy
    kubectl -n stackrox exec deploy/central -c central -- kill 1
    Copy
    oc -n stackrox exec deploy/central -c central -- kill 1
  2. If you are adding certificates for integrating with image registries, you must also restart Scanner.

    Copy
    kubectl delete po -n stackrox -l app=scanner
    Copy
    oc delete po -n stackrox -l app=scanner

Sensor

Once you’ve added trusted CAs and configured Central, the CAs are included in any new sensor deployment bundles that you create.

If Sensor is reporting problems while connecting to Central, you need to generate a sensor deployment YAML file and update existing clusters.

  • If you’re deploying with kubectl or oc, run ./ca-setup-sensor.sh -d ./additional-cas/ before you run the sensor.sh script.
  • If you’re deploying with Helm, follow the Helm chart documentation. You don’t have to run any additional scripts.

Questions?

We're happy to help! Reach out to us to discuss questions, issues, or feature requests.

© 2021 StackRox Inc. All rights reserved.