Skip to main content
Version: 1.x

CA Certificates

wasmCloud

wasmCloud can be configured to trust additional certificates when establishing secure connections for OCI and OTEL. This is useful when working with private certificates, such as those used in private networks or with self-signed certificates.

shell
./wasmcloud --tls-ca-path /path/to/cert.pem --tls-ca-path /path/to/another-cert.pem ...

Application HTTP Client Requests

If applications deployed on wasmCloud use the HTTP client capability provider and make outbound requests to services that use private certificates, the application must be configured to trust the private certificates. This can be done by providing the HTTP client with the custom certificates.

The HTTP client capability provider README details these options in more detail, at a high level:

HTTP Client Configuration

KeyValueDescriptionDefault
load_native_certs"true" / "false"Use the platform's native certificate store at runtime. Any value other than "true" will be assumed as "false""true"
load_webpki_certs"true" / "false"Uses a compiled-in set of root certificates trusted by Mozilla. Any value other than "true" will be assumed as "false""true"
ssl_certs_file"/path/to/certs.pem"Path to a file available on the machine where the HTTP client runs that contains one or more root certificates to trust. The provider will fail to instantiate if the file is not present.N/A

An example of starting this provider with all of the configuration values looks like this in wash:

bash
wash config put http-client-config load_native_certs=true load_webpki_certs=true ssl_certs_file=/tmp/certs.pem
wash start provider ghcr.io/wasmcloud/http-client:0.11.0 http-client --config http-client-config

An example of starting this provider with all of the configuration values looks like this in wadm:

yaml
- name: httpclient
  type: capability
  properties:
    image: ghcr.io/wasmcloud/http-client:0.11.0
    config:
      - name: http-client-config
        properties:
          load_native_certs: 'true'
          load_webpki_certs: 'true'
          ssl_certs_file: /tmp/certs.pem