Configures a custom CA (Certificates Authority) certificates file.
Most applications should use the system's root certificates and should avoid setting this option unnecessarily. A common exception to this recommendation are containerized applications. These often deploy without system's root certificates and need to explicitly configure a root of trust.
The value of this option should be the name of a file in PEM format. Consult your security team and/or system administrator for the contents of this file. Be aware of the security implications of adding new CA certificates to this file. Only use trustworthy sources for the CA certificates.
For REST-based libraries this configures the CAINFO option in libcurl. These are used for all credentials that require authentication, including the default credentials.
Warning:
gRPC does not have a programmatic mechanism to set the CA certificates for the default credentials. This option only has no effect with MakeGoogleDefaultCredentials(), or MakeServiceAccountCredentials(). Consider using the GRPC_DEFAULT_SSL_ROOTS_FILE_PATH environment variable in these cases.
Note:
CA certificates can be revoked or expire, plan for updates in your deployment.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-03-05 UTC."],[[["This document outlines the configuration options for custom CA certificates files, focusing on the `CARootsFilePathOption` within the Google Cloud C++ client libraries."],["The latest version documented is 2.37.0-rc, and the document provides links to specific versions of the configuration from 2.10.1 to 2.36.0 of the C++ library."],["Using custom CA certificates should generally be avoided, with exceptions made for containerized applications that lack system root certificates, and the certificate file should be in PEM format."],["For REST-based libraries, this option sets the CAINFO in libcurl, while for gRPC-based libraries, it configures `pem_roots_cert` in `grpc::SslCredentialsOptions`."],["The document warns that gRPC does not have a way to programmatically set the CA certificates for default credentials and recommends using `GRPC_DEFAULT_SSL_ROOTS_FILE_PATH` for such cases, and that regular updates to your deployed certificates should be planned for."]]],[]]
