Custom Certificate Authority

When Anchore Enterprise needs to communicate with external HTTPS endpoints like container registries, Anchore’s data feed service, or LDAP servers. If your environment uses a transparent SSL/TLS inspection proxy (a “man-in-the-middle” proxy) or service endpoints that use a self-signed certificates, you must provide the appropriate Custom Certificate Authority (CA) to avoid SSL/TLS verification errors.

This guide explains how to identify the need for a custom CA as well as how to configure your Docker Compose or Kubernetes deployments to utilize them.

🩺 Diagnosis and Preparation

Before you begin to configure Anchore Enterprise, confirm if a custom CA is necessary. If a CA certificate is required, we show you how to get the certificate for use in later steps.

Do I Need a Custom CA?

You can test for SSL verification issues by running a curl command from a host or container within your environment. If the command fails with a certificate verification error, you likely need to add a custom CA. A good test is to try connecting to Anchore’s public data service feed:

# -v enables verbose output to show SSL handshake details
curl -v https://data.anchore-enterprise.com
# An error might look like -> curl: (60) SSL certificate problem: self signed certificate in certificate chain indicates a CA is missing.

Note

For private container registries, you can often bypass certificate validation by enabling the “Allow Self-Signed” (skip TLS verify) option in the registry configuration within the Anchore Enterprise UI or via AnchoreCTL. However, using a custom CA is the more secure and recommended approach.

How Do I Get the CA Certificate?

If you’ve confirmed a custom CA is needed, you can fetch it from the target server using openssl. The certificate should be created with the .pem extension and then mounted into the relevant Anchore Enterprise container(s).

# Replace data.anchore-enterprise.com with your server's hostname
openssl s_client -showcerts -servername data.anchore-enterprise.com -connect data.anchore-enterprise.com:443 > custom-ca.pem

You can then verify that the fetched certificate works by using it with curl:

# Replace data.anchore-enterprise.com with your server's hostname
curl -v --cacert custom-ca.pem https://data.anchore-enterprise.com
# A success message might look like -> *  SSL certificate verify ok.

Note

You might need to perform this task multiple times if you have a different self-signed certs in use across services as well as tls/ssl proxy in your environment.

🐳 Docker Compose

The entrypoint scripts in the Anchore Enterprise containers are designed to automatically detect and trust any certificates mounted into the /home/anchore/certs directory.

Update your Core Services:

For each Anchore service (e.g., api, catalog, policy-engine, etc.), mount your custom-ca.pem file as a volume.

# Add this volume to each core Anchore service in your docker-compose.yaml
services:
  api:
    image: docker.io/anchore/enterprise:v5.X.X
    volumes:
      - ./custom-ca.pem:/home/anchore/certs/custom-ca.pem:ro
  # ... repeat for other services

Update your UI Service:

The UI service is a Node.js application and requires an additional environment variable, NODE_EXTRA_CA_CERTS, to load the certificate. This cert could be used for connectivity to services such as LDAP.

# Add both the volume and the environment variable to the UI service
services:
  ui:
    image: docker.io/anchore/enterprise-ui:v5.X.X
    volumes:
      - ./custom-ca.pem:/home/anchore/certs/custom-ca.pem:ro
    environment:
      - NODE_EXTRA_CA_CERTS=/home/anchore/certs/custom-ca.pem

☸️ Kubernetes (Helm)

For Helm deployments, you first store your certificate(s) in a Kubernetes secret and then reference that secret in your values.yaml.

Create a Kubernetes Secret

Create a generic secret in the same namespace as your Anchore Enterprise deployment. You can include multiple CA certificates in a single secret if needed.

# Replace 'anchore' with your namespace if different
# Add multiple --from-file flags for multiple certificates
kubectl create secret generic custom-ca-certs \
  --from-file=my-registry-ca.pem=./custom-ca.pem \
  --from-file=my-ldap-ca.pem=./ldap-ca.pem \
  --from-file=my-db-ca.pem=./my-db-ca.pem \
  -n anchore

Update your Helm values

Now change your Helm values to use the secret containing the CA cert. The certStoreSecretName key is used to mount the secret’s contents into the trusted certificate path. You can then reference each specific CA certificate file as needed. Once you have modified your values to utilize the secret and relvant CA certificate files, perform a helm upgrade. Below is an example values.yaml configuration:

# Name of secret containing the certificates & keys used for SSL, SAML & CAs
certStoreSecretName: "custom-ca-certs"

# Example: Reference a specific CA for the UI's LDAPS connection
ui:
  # Setting this creates the required NODE_EXTRA_CA_CERTS
  ldapsRootCaCertName: "my-ldap-ca.pem"

# Example: Reference a specific CA for the database connection
anchoreConfig:
  database:
    ssl: true
    sslRootCertFileName: "my-db-ca.pem"

Note

There are other certs you can supply and configure such as anchoreConfig.internalServicesSSL & anchoreConfig.keys.privateKeyFileName

Last modified August 21, 2025