Foundry Digital CA Certificates Bundle

Download CA Certificates Bundle

This certificate bundle contains all necessary certificates for secure connections to our services.

Or download individual certificates:

Production CA Development CA

Zscaler CA 2052

These are non-exhaustive suggested ways to use the cacert bundle. Applications may not use the expected certificates and may need further investigation.

Windows

To install the CA certificate on Windows:

Double-click the downloaded cacert.pem file
Click "Install Certificate"
Select "Local Machine" and click "Next"
Choose "Place all certificates in the following store"
Click "Browse" and select "Trusted Root Certification Authorities"
Click "Next" and then "Finish"

Alternatively, using PowerShell (Run as Administrator):

Import-Certificate -FilePath .\cacert.pem -CertStoreLocation Cert:\LocalMachine\Root

Note: You may need administrative privileges to install certificates system-wide.

macOS

To install the CA certificate on macOS:

Open Keychain Access, click on Certificates in the top menu, then unlock System under System Keychains (requires admin credentials).
Drag and drop cacert.pem in. They will show a red X as they are untrusted. To trust them, double-click one to open it.
Expand the "Trust" section
Set "When using this certificate" to "Always Trust"
Close the window (you'll need to enter your password)

Using terminal:

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ./cacert.pem

Linux

For Debian/Ubuntu:

sudo cp ./cacert.pem /usr/local/share/ca-certificates/cacerts-bundle.crt
sudo update-ca-certificates

For RHEL/CentOS/Fedora:

sudo cp ./cacert.pem /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust extract

For Alpine Linux:

sudo cp ./cacert.pem /usr/local/share/ca-certificates/
sudo update-ca-certificates

Docker

To make Docker trust the CA certificate:

For Docker client

mkdir -p ~/.docker/certs.d/your-registry-domain:port
cp ./cacert.pem ~/.docker/certs.d/your-registry-domain:port/ca.crt

For Docker daemon

sudo mkdir -p /etc/docker/certs.d/your-registry-domain:port
sudo cp ./cacert.pem /etc/docker/certs.d/your-registry-domain:port/ca.crt
sudo systemctl restart docker

Or update the Docker daemon configuration:

sudo nano /etc/docker/daemon.json

Add the following:

{
  "certs.d": {
    "your-registry-domain:port": {
      "ca.crt": "/path/to/cacert.pem"
    }
  }
}

sudo systemctl restart docker

Node.js

Using environment variables:

NODE_EXTRA_CA_CERTS=/path/to/cacert.pem node your-script.js

In your code:

const https = require('https');
const fs = require('fs');

const options = {
  ca: fs.readFileSync('/path/to/cacert.pem')
};

https.request(options, (res) => {
  // Your code here
});

For npm:

npm config set cafile /path/to/cacert.pem

Go

Using environment variables:

export SSL_CERT_FILE=/path/to/cacert.pem
go run your-program.go

In your code:

package main

import (
    "crypto/tls"
    "crypto/x509"
    "io/ioutil"
    "log"
    "net/http"
)

func main() {
    caCert, err := ioutil.ReadFile("/path/to/cacert.pem")
    if err != nil {
        log.Fatal(err)
    }
    
    caCertPool := x509.NewCertPool()
    caCertPool.AppendCertsFromPEM(caCert)
    
    client := &http.Client{
        Transport: &http.Transport{
            TLSClientConfig: &tls.Config{
                RootCAs: caCertPool,
            },
        },
    }
    
    // Use client for requests
}

Python

Add to shell and pip environment (.envrc and ~/.zshrc or ~/.bashrc):

export CERT_PATH=/path/to/cacert.pem
export SSL_CERT_FILE=${CERT_PATH} 
export REQUESTS_CA_BUNDLE=${CERT_PATH}
export CURL_CA_BUNDLE=${CERT_PATH}

Or with a package:

Use certifi:

pip install certifi

Java

Add to Java's trusted certificates:

keytool -importcert -file ./cacert.pem -alias custom-ca -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit

Use custom truststore:

keytool -importcert -file ./cacert.pem -alias custom-ca -keystore custom-truststore.jks -storepass your-password

Start Java application with:

java -Djavax.net.ssl.trustStore=/path/to/custom-truststore.jks -Djavax.net.ssl.trustStorePassword=your-password YourApplication

In your code:

System.setProperty("javax.net.ssl.trustStore", "/path/to/custom-truststore.jks");
System.setProperty("javax.net.ssl.trustStorePassword", "your-password");

Note: The default password for Java's cacerts is "changeit".

Verification

To verify that the CA certificate is properly installed:

For Linux/macOS

curl --cacert ./cacert.pem https://ca-test.fen.intra curl --cacert ./cacert.pem https://ca-test.dev.fen.intra

For Windows

Invoke-WebRequest -Uri https://ca-test.fen.intra Invoke-WebRequest -Uri https://ca-test.dev.fen.intra

If the certificate is correctly installed, you should not see any SSL/TLS errors.