Installing a custom CA certificate
This article explains how to install a custom certificate authority certificate on a Gateway instance so that Airlock Gateway components can trust TLS certificates issued by that custom certificate (CA) — e.g., when connecting to internal services that use certificates from a Windows Domain CA. Only the public CA certificate is required; you do not need the private key.
Installing a custom CA certificate is typically required when Airlock Gateway must establish TLS connections to backend systems whose server certificates are not trusted by default (e.g., internal LDAPS endpoints). Once installed, the custom CA becomes part of the trust store used by the operating system.
Prerequisites
- You have the CA certificate file (public certificate only; no private key required).
- If an IIS server with SSL enabled is available, connect with Internet Explorer, import the CA certificate, then export it as a file.
- Otherwise, ask the Windows Domain Administrator to generate and export the CA certificate for you.
- You have administrative access to the Gateway instance:
- You can transfer files to it (for example via SCP).
- You can log in via SSH as user root.
Installation
These settings may be lost during an Airlock Gateway update. Plan to reapply the CA installation after updating Airlock Gateway.
- Copy the CA certificate to this directory on the Gateway instance (e.g., via SCP):
- Example
/etc/pki/ca-trust/source/anchors/
- Log in to the Gateway instance via SSH as
root. - Import certificates from the anchors directory by running the following command:
After completing the installation
- If you stored a copy of the certificate in a temporary folder (e.g.,
/tmp), remove it after verifying that the certificate has been imported successfully and the intended TLS connections work as expected. - If you later configure services that validate server certificates (e.g., ACME services), the installed CA certificate enables proper trust validation.