Skip to main content

What Are Private CAs?

A Private CA is a Certificate Authority certificate that you upload to validate certificates issued by custom, internal, or non-standard certificate authorities. Private CAs enable monitoring of services that use certificates not signed by publicly trusted CAs.

When to Use Private CAs

Private CAs are essential for monitoring internal services that use certificates from your organization's internal PKI infrastructure, development and staging environments with self-signed certificates, or services using certificates from specific certificate providers that aren't in the standard public trust stores.

Without configuring a Private CA, the system validates certificates against the standard public certificate trust stores used by browsers and operating systems. Certificates signed by private or internal CAs will fail validation unless you upload the CA certificate.

How Private CAs Work

When you upload a Private CA certificate and assign it to a monitoring profile, all monitors using that profile will validate certificates against both the public trust stores and your uploaded CA certificates. This allows the system to properly validate certificate chains that terminate at your private CA rather than a public root.

Multiple Private CAs can be assigned to a single profile, enabling validation of services using certificates from different internal CAs or a mix of internal and external certificate providers. Each uploaded CA certificate is identified by its display name, expiration date, and cryptographic fingerprint.

Security Considerations

warning

Only upload the public CA certificate, never the private key. The Private CA feature only requires the public certificate to validate certificate chains. Uploading private keys is unnecessary and creates a security risk.

Private CA certificates are stored securely and used only for certificate chain validation during monitoring checks. They cannot be downloaded or exported from the system once uploaded.

Using Private CAs

Private CAs are assigned to monitors through profiles. Navigate to Certificate Monitoring ➡️ Manage ➡️ Profiles and either create a new profile or edit an existing one. Check the Use Private CA(s) for Verification option and select one or more uploaded Private CAs. All monitors using that profile will then validate against those CAs.

The Private CAs list shows each CA's status, remaining days until expiration, and fingerprint for verification. Expired CA certificates should be replaced before they cause validation failures on your monitors.