Post-Install

Add Ingress Certificate to Trust Store

Manifest generates a self-signed CA certificate for the web ingress. To avoid browser security warnings, you must export this certificate from the cluster and trust it on every machine that will access the platform's web UI.

Export the CA Certificate

kubectl is not required on the host — drop into the install-tools container with manifest-installer shell, then export the certificate:

manifest-installer shell
kubectl get secret -n cert-manager mfst-ca-tls -o jsonpath='{.data.ca\.crt}' | base64 -d > manifest-ca.crt
exit

The deployment directory is mounted into the container, so manifest-ca.crt will be available on the host afterwards. Distribute it to user workstations and apply one of the OS-specific commands below to trust it.

Trust the Certificate

macOS

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain manifest-ca.crt

Linux (Ubuntu/Debian)

sudo cp manifest-ca.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

Linux (RHEL/CentOS)

sudo cp manifest-ca.crt /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust

Windows (PowerShell as Administrator)

Import-Certificate -FilePath manifest-ca.crt -CertStoreLocation Cert:\LocalMachine\Root

Use a Custom Ingress Certificate

Detailed instructions coming soon.

Related Documentation

• Configuration Reference - Host and OIDC configuration options
• Troubleshooting - Common issues and solutions