Skip to main content

Overview

By default Velatir generates a unique certificate authority on each device. Organisations that already run an internal CA can supply their own instead, so managed devices do not need to trust a new root. For pilots, the default Velatir CA is the simpler choice.

What to Provide

A PFX (PKCS#12) bundle containing the CA certificate, its private key, and any intermediates needed to chain to a root your devices trust. The private key stays on the device and never leaves it.
The certificate must be a CA (keyUsage including keyCertSign and an appropriate basicConstraints extension). A leaf certificate will not work, because Velatir issues per-host certificates from it.

Single-Device Setup

For evaluation on one device, use the CLI:
velatir set-ca --path /path/to/internal-ca.pfx --password 'your-pfx-password'
Verify the change took effect. get-config lists the active certificate fingerprint; status confirms the new authority is in use.
velatir get-config
velatir status

Organisation-Wide Setup

Deploy the PFX bundle from your MDM platform first, then deploy the desktop client with the bundle path in the install command.

Windows (Intune)

  1. Deploy the PFX to a known path (for example, C:\ProgramData\Velatir\byo-ca.pfx) using an Intune file policy.
  2. Point the MSI at it:
    /qn INGEST_KEY="vltr_..." VELATIR_BYO_CA_PATH="C:\ProgramData\Velatir\byo-ca.pfx" VELATIR_BYO_CA_PASSWORD="<password>"
    

macOS (Jamf Pro)

  1. Deploy the PFX via a Jamf file payload (for example, /Library/Application Support/Velatir/byo-ca.pfx).
  2. In the ingest-key staging script, also call:
    /usr/local/bin/velatir set-ca \
      --path "/Library/Application Support/Velatir/byo-ca.pfx" \
      --password "<password>"
    
See Enterprise deployment for the full Intune and Jamf Pro flow.

Rotating the Certificate Authority

Deploy the new PFX to the same path and redeploy the install command, or rerun set-ca. For lower risk, roll out group by group:
  1. Stage the new CA in a small device group.
  2. Confirm velatir status shows the new fingerprint and interactions still reach the dashboard.
  3. Expand the rollout.
Rotation restarts capture, so one in-flight interaction may produce a single failed trace. Plan rotations during low-activity periods if that matters.

Removing the Custom Certificate Authority

To revert to the Velatir-issued CA:
velatir set-ca --path '' --password ''

Verification

After installing or rotating, confirm supported applications still see a valid certificate chain:
velatir logs --host -f
Trigger an interaction in a supported AI application; the log should show a successful connection on the new authority. If applications report certificate errors, see Troubleshooting.

Next Steps

Enterprise deployment

The Intune and Jamf Pro flows that wrap bring-your-own-CA distribution.

Permissions

How the desktop client handles certificates at install time.

CLI reference

Detail on the set-ca and get-config commands.

Troubleshooting

Diagnose certificate trust issues after a rotation.