Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
By default, the Azure Linux Container Host for AKS image has a minimal set of root certs to trust certain Microsoft resources, such as packages.microsoft.com. All Microsoft certificates aren't automatically included in our image, which is consistent with the least-privilege principle and gives you the flexibility to opt in to just the root certificates you need and to customize your image.
The ca-certificates-base is preinstalled in the container host image and contains certificates from a small set of Microsoft-owned CAs. It consists of certificates from Microsoft's root and intermediate CAs. This package allows your container host to trust a minimal set of servers, all of which were verified and had their certificates issued by Microsoft.
The ca-certificates cover the root CAs trust by Microsoft through the Microsoft Trusted Root Program.
The directory /etc/pki/ca-trust/source/ contains the CA certificates and trust settings in the PEM file format. The trust settings found here are interpreted with a high priority, higher than the ones found in /usr/share/pki/ca-trust-source/.
For more information on the Azure Linux Container Host for AKS image certifications, see the GitHub documentation.
Important
As of November 30, 2025, Azure Kubernetes Service (AKS) no longer supports or provides security updates for Azure Linux 2.0. The Azure Linux 2.0 node image is frozen at the 202512.06.0 release. Beginning March 31, 2026, node images will be removed, and you'll be unable to scale your node pools. Migrate to a supported Azure Linux version by upgrading your node pools to a supported Kubernetes version or migrating to osSku AzureLinux3. For more information, see Retirement: Azure Linux 2.0 node pools on AKS.
Add a certificate in the PEM or DER file format
You can add individual or multiple certificates to your Azure Linux Container Host for AKS image. To add a certificate in the simple PEM or DER file format to the list of CAs trusted on the system, follow these steps:
- Save your certificate under
etc/pki/ca-trust/source/anchors/. - Run
update-ca-trustto consolidate CA certificates and associated trust.
Add a certificate in the extended BEGIN TRUSTED file format
If your certificate is in the extended BEGIN TRUSTED file format (which may contain distrust trust flags or trust flags for usages other than TLS), then follow these steps:
- Save your certificate under
etc/pki/ca-trust/source/. - Run
update-ca-trustto consolidate CA certificates and associated trust.
Next steps
- Learn more about Azure Linux Container Host core concepts.
- Follow our tutorial to Deploy, manage, and update applications.
- Get started by Creating an Azure Linux Container Host for AKS cluster using Azure CLI.