With the release of Podman 6.0, an improvement for enterprise users and developers behind corporate proxies is the new automatic import of host certificates for the Podman machine.
The Certificate Hurdle
Historically, users working in environments with custom Certificate Authorities (CAs), such as many enterprise networks, faced a manual and often tedious process. To ensure that container workloads running inside a Podman Machine trusted the same internal registries or web services as the host OS, you had to manually export certificates from your host’s keystore and inject them into the guest OS.
With Podman 6, we are automating this workflow to ensure your containers “just work” the moment you start your machine.
Introducing –import-native-ca
The centerpiece of this feature is the new --import-native-ca flag. This flag allows Podman to automatically retrieve trusted CA certificates from your host system’s native store and sync them directly into the Podman Machine guest.
How to Use It
You can enable this feature during the initialization of a new machine, update an existing one or change Podman default configuration:
- During initialization:
podman machine init --import-native-ca - Updating an existing machine:
podman machine set --import-native-ca - Setting
import_native_ca=truein containers.conf’s machine table
Once enabled, the certificates are synchronized every time the Podman machine boots up. This means that if your IT department updates a root certificate on your host, Podman will automatically pick it up on the next restart.
Under the Hood
The implementation leverages native Go abstractions to securely pull certificates from the host’s store (such as the Keychain on macOS or the Certificate Store on Windows).
- Extraction: The Podman client extracts these certificates into a standard PEM format.
- Persistence: The certificates are saved in the machine’s data folder on the host.
- Synchronization: These files are then mounted or copied into the guest OS’s trusted anchors folder.
- Activation: Podman executes the
update-ca-trustcommand inside the guest OS to ensure the new certificates are recognized by the system and any running containers.
To keep machine startup times fast and predictable, this feature is disabled by default. This allows users in complex environments to opt in without impacting those who don’t require custom certificate management.
Cross-Platform Support
We’ve ensured that this feature is robust across all supported Podman Machine providers. Whether you are running on Windows (WSL or Hyper-V), macOS (applehv or libkrun) or Linux (QEMU), your native certificates will follow you into your Podman machine.
Availability
This automated feature is part of the Podman 6.0.0 release.


Leave a Reply