Skip to main content
Sign In
General

TLS & Certificates

How Rivet validates TLS root certificates.

Public CAs (Let’s Encrypt, AWS ACM, and so on) work out of the box. You only need to read this page if you’re running behind a corporate or private CA.

Rivet reads the operating system trust store (/etc/ssl/certs on Linux, Keychain on macOS, Schannel on Windows) for all outbound HTTPS. Operator-installed corporate CAs live there and are honored automatically.

To trust a private CA inside the official rivetdev/engine image, extend it the standard Debian way:

FROM rivetdev/engine:latest
COPY my-corp-ca.crt /usr/local/share/ca-certificates/
RUN update-ca-certificates

Rebuild and redeploy. The same approach works for any machine running a Rivet client: install the CA into the OS trust store and Rivet picks it up.

Edit this page