Add trusted certificate authorities

Learn how to add custom trusted certificate authorities to the StackRox Kubernetes Security Platform.

If you are using an enterprise certificate authority (CA) on your network, or self-signed certificates, you must add the CA’s root certificate to the StackRox Kubernetes Security Platform as a trusted root CA.

Adding trusted root CAs allows:

  • Central and Scanner to trust remote servers when you integrate with other tools.
  • Sensor to trust custom certificates you use for StackRox Central.

You can add additional CAs during the installation or on an existing StackRox deployment. You must first configure your trusted CAs in the cluster where you’ve deployed StackRox Central and then propagate the changes to Scanner and Sensor.

1. Configure additional CAs

To add custom CAs:

  1. Use the script.

    • If you are doing a new installation, you can find the script in the scripts directory at central-bundle/central/scripts/
    • You must run the script in the same terminal from which you logged into your Kubernetes or OpenShift cluster.
  2. Make the script executable.

    chmod +x
  3. To add a single certificate, use the -f (file) option:

    ./ -f <certificate>

    You must use a PEM-encoded certificate file (with any extension).

  4. To add multiple certificates at once, move all certificates in a directory, and then use the -d (directory) option:

    ./ -d <directory-name>

    You must use PEM-encoded certificate files with .crt extension and each file should only contain a single certificate.

  5. You can also use the -u (update) option along with the file or directory options to update any previously added certificates.

2. Propagate changes

After you configure trusted CAs, you must make StackRox services trust them.

Central and Scanner

If you’ve configured trusted CAs before deploying Central and Scanner, skip the following steps and continue with the instructions in the Sensor section.

If you’ve configured trusted CAs after installation, you must complete the following instructions:

  1. Restart Central to apply changes.

    kubectl -n stackrox exec deploy/central -c central -- kill 1
    oc -n stackrox exec deploy/central -c central -- kill 1
  2. If you are adding certificates for integrating with image registries, you must also restart Scanner.

    kubectl delete po -n stackrox -l app=scanner
    oc delete po -n stackrox -l app=scanner


Once you’ve added trusted CAs and configured Central, the CAs are included in any new sensor deployment bundles that you create.

If Sensor is reporting problems while connecting to Central, you need to generate a sensor deployment YAML file and update existing clusters.

  • If you’re deploying with kubectl or oc, run ./ -d ./additional-cas/ before you run the script.
  • If you’re deploying with Helm, follow the Helm chart documentation. You don’t have to run any additional scripts.


We're happy to help! Reach out to us to discuss questions, issues, or feature requests.

© 2021 StackRox Inc. All rights reserved.