Via publishes public CA roots for managed app runtimes under one host directory:
/var/lib/via/runtime-trust/
The runner mounts that directory read-only into every managed runtime at
/var/vary/trust and sets VARY_TRUST_DIR=/var/vary/trust.
This is platform trust material, not app storage. It is independent of
capabilities.fs, so apps without writable filesystem access can still
validate Via-managed HTTPS endpoints.
| Provider | Output | Notes |
|---|---|---|
internal_acme_ca | internal-local-root.crt | Publishes the managed proxy public local CA root when [acme] mode = "internal" and the root has been created. |
operator_ca | operator-<id>.crt | Publishes operator-configured public CA roots. |
enterprise_pki | enterprise-<id>.crt | Reserved for future managed PKI integration. |
Add public enterprise roots in server.toml:
[runtime_trust]
enabled = true
[[runtime_trust.ca]]
id = "corp-root"
file = "/etc/via/runtime-trust.d/corp-root.crt"
Via validates that each configured file exists, is readable, contains one or
more X.509 certificates, and does not contain a private-key PEM block. Invalid
entries fail reconciliation and are surfaced by via doctor.
When Via uses internal TLS, reconciliation looks for the public root in the managed proxy data directory and publishes only the public certificate to:
/var/lib/via/runtime-trust/internal-local-root.crt
via-runner and app containers do not receive traversal access to the managed
proxy private data directory.
via doctor reports the runtime trust directory, provider outputs,
certificate subjects, issuers, expiry dates, and SHA-256 fingerprints. An
internal TLS host with no exported managed proxy root is reported as a
deploy-blocking finding until the root exists and via init --recover or
via doctor --fix publishes it. A fresh via init --domain ... --acme internal
run starts Via services and reconciles runtime trust after the proxy is active, so
new installs should not require via upgrade just to publish
internal-local-root.crt.