Overview
By default Velatir generates a unique certificate authority on each device. Organisations that already run an internal CA can supply their own instead, so managed devices do not need to trust a new root. For pilots, the default Velatir CA is the simpler choice.What to Provide
A PFX (PKCS#12) bundle containing the CA certificate, its private key, and any intermediates needed to chain to a root your devices trust. The private key stays on the device and never leaves it.The certificate must be a CA (
keyUsage including keyCertSign and an appropriate basicConstraints extension). A leaf certificate will not work, because Velatir issues per-host certificates from it.Single-Device Setup
For evaluation on one device, use the CLI:get-config lists the active certificate fingerprint; status confirms the new authority is in use.
Organisation-Wide Setup
Deploy the PFX bundle from your MDM platform first, then deploy the desktop client with the bundle path in the install command.Windows (Intune)
-
Deploy the PFX to a known path (for example,
C:\ProgramData\Velatir\byo-ca.pfx) using an Intune file policy. -
Point the MSI at it:
macOS (Jamf Pro)
-
Deploy the PFX via a Jamf file payload (for example,
/Library/Application Support/Velatir/byo-ca.pfx). -
In the ingest-key staging script, also call:
Rotating the Certificate Authority
Deploy the new PFX to the same path and redeploy the install command, or rerunset-ca. For lower risk, roll out group by group:
- Stage the new CA in a small device group.
- Confirm
velatir statusshows the new fingerprint and interactions still reach the dashboard. - Expand the rollout.
Removing the Custom Certificate Authority
To revert to the Velatir-issued CA:Verification
After installing or rotating, confirm supported applications still see a valid certificate chain:Next Steps
Enterprise deployment
The Intune and Jamf Pro flows that wrap bring-your-own-CA distribution.
Permissions
How the desktop client handles certificates at install time.
CLI reference
Detail on the
set-ca and get-config commands.Troubleshooting
Diagnose certificate trust issues after a rotation.