For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
      • AstroFully-managed data operations, powered by Apache Airflow.
      • Astro Private CloudRun Airflow-as-a-service in your environment.
      • Professional ServicesExpert Airflow services for your enterprise's success.
    • Tools
      • Cosmos
      • Orbiter
      • CLI
      • AI SDK
      • Agents
      • Blueprint
      • UpdatesThe State of Airflow 2026See the insights from over 5,800 data practitioners in the full report. Download Now ➔
  • Customers
  • Docs
    • Insights
      • Blog
      • Webinars
      • Resource Library
      • Events
    • Education
      • Academy
      • What is Airflow?
  • Pricing
Get Started Free
    • Astro Private Cloud overview
    • Astro Private Cloud features
      • Install overview
      • Install the control plane
      • Install a data plane
      • Install in unified mode
        • Merge yaml configurations
        • Add trusted certificate authorities (CAs)
        • Disable outbound email
        • Trust private certificate authorities
        • Disable managing quotas and limitranges
      • Log in to Astro Private Cloud

Product

  • Platform Overview
  • Astro
  • Astro Observe
  • Astro Private Cloud
  • Security & Trust
  • Pricing

Tools & Services

  • Cosmos
  • Docs
  • Professional Services
  • Product Updates

Use Cases

  • AI Ops
  • Data Observability
  • ETL/ELT
  • ML Ops
  • Operational Analytics
  • All Use Cases

Industries

  • Financial Services
  • Gaming
  • Retail
  • Manufacturing
  • Healthcare
  • All Industries

Resources

  • Academy
  • eBooks & Guides
  • Blog
  • Webinars
  • Events
  • The Data Flowcast Podcast
  • All Resources

Airflow

  • What is Airflow
  • Airflow on Astro
  • Airflow 3.0
  • Airflow Upgrades
  • Airflow Use Cases
  • Airflow 2.x End of Life

Company

  • Our Story
  • Customers
  • Newsroom
  • Careers
  • Contact

Support

  • Knowledge Base
  • Status
  • Contact Support
GitHubYouTubeLinkedInx
  • Legal
  • Privacy
  • Terms of Service
  • Consent Preferences

  • Do Not Sell or Share My Personal information
  • Limit the Use Of My Sensitive Personal Information

Apache Airflow®, Airflow, and the Airflow logo are trademarks of the Apache Software Foundation. Copyright © Astronomer 2026. All rights reserved.

LogoLogo
Install Astro Private CloudCustomize your installation

Trust private certificate authorities (CAs)

Edit this page
Built with

This guide explains how to install Astro Private Cloud in an environment that uses Private Certificate Authority (Private CA)–issued TLS certificates. In this setup, all platform components, including the control plane, data plane, and internal services, communicate over secure HTTPS connections that are validated against your organization’s internal CA. This procedure covers configuring trusted roots, deploying certificates to the appropriate namespaces, and ensures the Astro installation properly trusts and uses the Private CA during installation and runtime.

  1. Store the CA’s root public certificate to an Opaque Kubernetes secret in the Astro Private Cloud namespace with a descriptive name, such as private-root-ca, by running the following command.

Before you run this command, keep the following in mind:

  • The root certificate you specify should be the certificate of the authority that signed the Astro Private Cloud certificate. This isn’t the certificate associated with Astro Private Cloud or any other service.
  • The name of the secret file must be cert.pem for your certificate to be trusted properly.
  • The file must contain only a single certificate, it can’t be a certificate bundle.
$kubectl -n astronomer create secret generic private-root-ca --from-file=cert.pem=./private-root-ca.pem
  1. Add <secret name> to the list of secret names contained in global.privateCaCerts in values.yaml:
1global:
2  privateCaCerts:
3  - private-root-ca
Step 3 and 4 are additional steps for Private CA on the control plane only
  1. Create a database secret and add <secret name> to the list of secret names.
1kubectl -n astronomer create secret generic db-private-ca  --from-file=cert.pem=./private-root-ca.pem
1global:
2  privateCaCerts:
3  - private-root-ca
4  - db-private-ca
  1. Add your Private CA to your Helm values.yaml.
1database:
2  connection:
3    ssl:
4      ca: /etc/ssl/certs/ca-certificates.pem
5      rejectUnauthorized: true