# Add Custom Certificates to ESS Services

In some cases, you may need to add custom certificates to the ESS services’ trust store. For example, you may need to add custom certificates to allow ESS services to communicate with services that do not use typical certificate authorities.

{% hint style="warning" %}
**Warning**\
The following procedure modifies [initContainers](https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) for your Kubernetes pods and may have far-reaching impact. Exercise care when using the following procedure.
{% endhint %}

## Example Customization

The following kustomization uses the Inrupt-provided **`load-custom-cert.yaml`** to add a custom certificate (named **`custom.crt`** in the example) from a **`ConfigMap`** when pods start running.

1. Download the **`load-custom-cert.yaml`** to a temp directory.

   ```sh
   cd $(mktemp -d)
   docker run --rm -v $(pwd):/cert-example/ docker.software.inrupt.com/inrupt-kustomizer:2.7.0 cp -R /release/ess/deployment/kubernetes/components/openid-custom-certificate/ /cert-example/
   ```
2. From the temp directory, copy the downloaded **`load-custom-cert.yaml`** to the ESS installation directory.

   ```sh
   cp openid-custom-certificate/load-custom-cert.yaml ${HOME}/ess/
   ```

   If saving to a directory different from the ESS installation directory, update the path to **`load-custom-cert.yaml`** in the **`kustomization.yaml`** step below.
3. Go to your ESS installation directory:

   ```sh
   cd ${HOME}/ess
   ```
4. Save your custom certificate in a file named **`custom.crt`** .
5. Modify the **`kustomization.yaml`** (i.e., step 3 of the [Applying Your Customizations](/ess/latest/installation/customize-configurations.md#applying-your-customizations) procedure).\
   Specifically, add the highlighted content to the **`kustomization.yaml`** file under the **`patches`** key and **`configMapGenerator`** key:

{% hint style="info" %}
**Tip**

If **`patches`** key does not exist in **`kustomization.yaml`** , add the **`patches`** key as well.

If **`configMapGenerator`** key does not exist in **`kustomization.yaml`** , add the **`configMapGenerator`** key as well.
{% endhint %}

<pre><code># kustomization.yaml in your ESS installation directory

# ...  Preceding content omitted for brevity
# ...

patches:
<strong>  - path: load-custom-cert.yaml
</strong><strong>    target:
</strong><strong>      kind: Deployment
</strong><strong>      name: ess-openid
</strong>
configMapGenerator:
<strong>  - name: custom-certificate
</strong><strong>    namespace: ess
</strong><strong>    files:
</strong><strong>      - custom.crt
</strong></code></pre>

6. Continue with the rest of the [Applying Your Customizations](/ess/latest/installation/customize-configurations.md#applying-your-customizations) procedure.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.inrupt.com/ess/latest/installation/customize-configurations/customization-security/add-custom-certs.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.