> ## Documentation Index
> Fetch the complete documentation index at: https://docs.domino.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Domino-custom-certificates ConfigMap

Domino checks for `domino-custom-certificates` ConfigMap in the Kubernetes cluster’s `default` namespace. This ConfigMap must have a key named `bundle` with plaintext data of a certificate bundle in PEM format. If the bundle exists, then Domino uses certificates from this bundle to connect to the external services.

Domino supports the following certificate types:

Custom Certificate Authority (CA)\
Certificates that certify the other certificates issued under this authority.

Self-signed certificates\
Certificates that do not have a reference to the authority signing them.

The bundle is formatted as a series of concatenated certificates in PEM format. You must have the line breaks around the lines:

```shell theme={null}
-----BEGIN CERTIFICATE—--
```

and

```shell theme={null}
-----END CERTIFICATE—--
```

The bundle must contain all the certificates that you would typically use to connect to the private services, including intermediate and root certificates.

Domino includes public certificates, such as DigiCert root certificates, by default so you do not have to include them. Duplicate certificates will not cause any issues.

For user executions, all Domino certificates, including public and customer-provided, will be stored in `/etc/ssl/certs/domino-custom`.

## Use custom certificates

If you must use custom certificates in a user session, such as to connect to internal Git servers from a Workspace command line, manually reference the certificates in `/etc/ssl/certs/domino-custom`. The following are some ways that you can do this:

* Copy the certs from `/etc/ssl/certs/domino-custom` to `/etc/ssl/certs` in a compute environment pre-run script.

* Add a Java truststore option such as: `-Djavax.net.ssl.trustStore=/etc/ssl/certs/domino-custom/cacerts.p12 -Djavax.net.ssl.trustStoreType=PKCS12 -Djavax.net.ssl.trustStorePassword=changeme`

* Add application-specific configurations such as setting the `GIT_SSL_CAINFO` variable for Git or passing the `--cacert` option for Curl.

  You can also set these options at runtime or modify the relevant configuration files in the compute environment.
