Add custom certificates to a delegate
Some organizations prefer to use custom SSL certificates instead of certificates generated by a public Certificate Authority (CA). If your organization uses internal certificates, you need to set up Harness to use these certificates.
Harness supports three workflows for using custom certificates. You can add your certs to the delegate, to individual pipelines, or to the container images you use to run your scans.
When to add custom certificates to a delegate for STO
Harness STO supports three workflows for running scans with custom certificates. This workflow is recommended if both of the following are true:
-
You're using a Kubernetes or Docker delegate.
-
You can configure the delegate directly.
Important notes for adding custom certificates to a delegate for STO
-
This workflow is supported for Kubernetes and Docker delegates only, and requires direct access to the delegate. If you don't meet these requirements, you can add your certs to individual pipelines or to custom scanner images instead.
-
You must have root access to perform the workflows referenced below.
-
Make sure that your certificates meet all requirements of the external scan tool. Your certificates must be valid, unexpired, and have a complete trust chain.
-
STO supports certificates in PEM and Distinguished Encoding Rules (DER) format.
-
Harness STO does not support certificate bundles. Each certificate should be specified in its own file. If you have a bundle that you want to use with an external scanner, Harness recommends that you split the bundle into individual files.
-
To troubleshoot SSL issues, go to Troubleshooting tips below.
Workflows for adding custom certificates to a delegate for STO
The Harness CI docs describe how to add custom certificates to a delegate.
-
For Kubernetes delegates, go to Configure a Kubernetes build farm to use custom certificates.
-
For Docker delegates, go to Set up a local runner build infrastructure.