Via publishes public CA roots for managed app runtimes under one host directory: ```text /var/lib/via/runtime-trust/ ``` The runner mounts that directory read-only into every managed runtime at `/var/vary/trust` and sets `VARY_TRUST_DIR=/var/vary/trust`. This is platform trust material, not app storage. It is independent of `capabilities.fs`, so apps without writable filesystem access can still validate Via-managed HTTPS endpoints. ## Providers | Provider | Output | Notes | |---|---|---| | `internal_acme_ca` | `internal-local-root.crt` | Publishes the managed proxy public local CA root when `[acme] mode = "internal"` and the root has been created. | | `operator_ca` | `operator-.crt` | Publishes operator-configured public CA roots. | | `enterprise_pki` | `enterprise-.crt` | Reserved for future managed PKI integration. | ## Operator CA roots Add public enterprise roots in `server.toml`: ```toml [runtime_trust] enabled = true [[runtime_trust.ca]] id = "corp-root" file = "/etc/via/runtime-trust.d/corp-root.crt" ``` Via validates that each configured file exists, is readable, contains one or more X.509 certificates, and does not contain a private-key PEM block. Invalid entries fail reconciliation and are surfaced by `via doctor`. ## Internal ACME CA When Via uses internal TLS, reconciliation looks for the public root in the managed proxy data directory and publishes only the public certificate to: ```text /var/lib/via/runtime-trust/internal-local-root.crt ``` `via-runner` and app containers do not receive traversal access to the managed proxy private data directory. ## Doctor `via doctor` reports the runtime trust directory, provider outputs, certificate subjects, issuers, expiry dates, and SHA-256 fingerprints. An internal TLS host with no exported managed proxy root is reported as a deploy-blocking finding until the root exists and `via init --recover` or `via doctor --fix` publishes it. A fresh `via init --domain ... --acme internal` run starts Via services and reconciles runtime trust after the proxy is active, so new installs should not require `via upgrade` just to publish `internal-local-root.crt`.