• Virtual machine container importing digital certificates with status and resource information in a server room.
, , , ,

Automatic CA Certificate Import in Podman 6

With the release of Podman 6.0, an improvement for enterprise users and developers behind corporate proxies is the new automatic import of host certificates for the Podman machine.

The Certificate Hurdle

Historically, users working in environments with custom Certificate Authorities (CAs), such as many enterprise networks, faced a manual and often tedious process. To ensure that container workloads running inside a Podman Machine trusted the same internal registries or web services as the host OS, you had to manually export certificates from your host’s keystore and inject them into the guest OS.

With Podman 6, we are automating this workflow to ensure your containers “just work” the moment you start your machine.

Introducing –import-native-ca

The centerpiece of this feature is the new --import-native-ca flag. This flag allows Podman to automatically retrieve trusted CA certificates from your host system’s native store and sync them directly into the Podman Machine guest.

How to Use It

You can enable this feature during the initialization of a new machine, update an existing one or change Podman default configuration:

  • During initialization: podman machine init --import-native-ca
  • Updating an existing machine: podman machine set --import-native-ca
  • Setting import_native_ca=true in containers.conf’s machine table

Once enabled, the certificates are synchronized every time the Podman machine boots up. This means that if your IT department updates a root certificate on your host, Podman will automatically pick it up on the next restart.

Under the Hood

The implementation leverages native Go abstractions to securely pull certificates from the host’s store (such as the Keychain on macOS or the Certificate Store on Windows).

  1. Extraction: The Podman client extracts these certificates into a standard PEM format.
  2. Persistence: The certificates are saved in the machine’s data folder on the host.
  3. Synchronization: These files are then mounted or copied into the guest OS’s trusted anchors folder.
  4. Activation: Podman executes the update-ca-trust command inside the guest OS to ensure the new certificates are recognized by the system and any running containers.

To keep machine startup times fast and predictable, this feature is disabled by default. This allows users in complex environments to opt in without impacting those who don’t require custom certificate management.

Cross-Platform Support

We’ve ensured that this feature is robust across all supported Podman Machine providers. Whether you are running on Windows (WSL or Hyper-V), macOS (applehv or libkrun) or Linux (QEMU), your native certificates will follow you into your Podman machine.

Availability

This automated feature is part of the Podman 6.0.0 release.

References

Leave a Reply

Subscribe

Sign up with your email address to receive updates by email from this website.

← Back

Thank you for your response. ✨


Categories


Search