Support Certificate Authority on NEE Pods

Starting in Strategy One (January 2026), you can allowlist a host URL and import self-signed certificate authority (CA) so the PDF Export Service can establish HTTPS connections.

Prerequisites

• Allowlist the host URL: Ensure the target host URL is added to the application's allowlist. If you do not perform this step, HTTPS requests to the host may be blocked, even if the certificate is trusted.

• Certificate format requirements: CA certificates must be provided in one of the following formats:

  • PEM (Base64 encoded)

  • DER (binary)

  The following file extensions are supported:

  • .crt

  • .pem

  • .cer

Install the Certificate

1. Copy the certificate files into the following directory in the container:

   Copy

   /opt/mstr/PDFExportService/certs/

2. Verify the following:

   • Each certificate is stored as a separate file.

   • File extensions are in .crt, .pem, or .cer format.

3. Restart the PDF Export Service pod to import the certificates.

   After restarting, the service automatically loads and trusts the certificates placed in the certs directory.

Create a Self-Signed Certificate Example

Use the following example command to generate a self-signed certificate with OpenSSL:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
  -keyout tls.key -out tls.crt \
  -subj "/CN=image-server.default.svc.cluster.local/C=CN/ST=Beijing/L=Beijing/O=Local Development/OU=IT Department" \
  -addext "subjectAltName=DNS:image-server.default.svc.cluster.local"

Note the following:

• Ensure the Common Name (CN) and Subject Alternative Name (SAN) match the actual host used by the PDF Export Service.

• The generated tls.crt file can be used as the CA certificate, if required.