Configures a custom CA (Certificates Authority) certificates file.
Most applications should use the system's root certificates and should avoid setting this option unnecessarily.
The value of this option should be the name of a file in PEM format. Consult your security team and/or system administrator for the contents of this file. Be aware of the security implications of adding new CA certificates to this file. Only use trustworthy sources for the CA certificates.
The most common cases where this option is needed include:
Containerized applications that deploy without the system's root certificates and need to explicitly configure a root of trust.
Applications using gRPC-based services on Windows and macOS, where gRPC does not use the default root of trust. Though it might be possible to set the GRPC_DEFAULT_SSL_ROOTS_FILE_PATH environment variable instead.
You should set this option both in the credentials and in the connection google::cloud::Options parameter. For example:
namespace gc = ::google::cloud;
auto ca = gc::Options{}.set<gc::CARootsFilePathOption>("path/to/roots.pem");
auto credentials = gc::MakeServiceAccountCredentials(..., ca);
// Make a copy, only needed if you plan to use `ca` again.
auto opts = ca;
// Using bigtable to illustrate the option usage, this applies to all
// libraries in `google-cloud-cpp`.
auto connection = gc::bigtable::MakeDataConnection(
opts.set<gc::UnifiedCredentialsOption>(credentials));
// Use `connection` as usual.
For REST-based libraries this configures the CAINFO option in libcurl. These are used for all credentials that require authentication, including the default credentials.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-03-05 UTC."],[[["The `CARootsFilePathOption` allows applications to configure a custom CA certificates file, which is primarily necessary for containerized applications or gRPC-based services on Windows and macOS."],["Setting this option involves specifying the path to a PEM-formatted file containing trusted CA certificates, typically needed when the system's default root certificates are unavailable or when gRPC does not use the system's root of trust."],["This configuration must be applied both in the credentials and in the `google::cloud::Options` parameter, as illustrated in the provided C++ code example, to ensure its proper functionality."],["The `CARootsFilePathOption` configures the `CAINFO` option in libcurl for REST-based libraries and the `pem_roots_cert` parameter in `grpc::SslCredentialsOptions` for gRPC-based libraries, but it does not work with `MakeGoogleDefaultCredentials()` for gRPC."],["The documentation lists version history of the API, starting with the latest version [2.37.0-rc] and going as far back as version [2.10.1]."]]],[]]