> For the complete documentation index, see [llms.txt](https://docs.platform9.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.platform9.com/private-cloud-director/images-and-image-library/image-library-certificate-configuration.md).

# Image Library Service Certificate Configuration

## Overview

The Image Library Service uses a TLS certificate to secure image upload and retrieval traffic. If your browser or CLI client does not trust that certificate, image uploads from the UI will be blocked, and CLI uploads without the `--insecure` flag will fail.

<code class="expression">space.vars.product\_name</code> supports two deployment models with different certificate management paths:

* **SaaS** — Platform9 operates the management plane. The Image Library Service endpoint certificate is managed by Platform9. You accept the certificate in your browser; you do not modify management-plane certificates directly.
* **Self-Hosted** — You operate the management plane on-premise. You can supply your own custom certificate and apply it using `airctl`.

In this guide, you will trust or configure the Image Library Service certificate for your deployment model so that image uploads and VM provisioning succeed.

## SaaS Deployments

In SaaS deployments, the Image Library Service host uses a self-signed certificate for the image upload endpoint. You must accept this certificate in your browser before you can upload images through the UI.

### Accept the Certificate in Your Browser

1. Sign in to the <code class="expression">space.vars.product\_name</code> UI.
2. Navigate to **Images**. If the certificate has not been trusted, a banner or notification appears that reads **Action Required: Trust Certificate**.
3. Click the link in the notification. A new browser tab opens to the Image Library Service endpoint.
4. In the browser's security warning page, expand **Advanced** (or **Details**, depending on your browser) and click the link to proceed to the site.
5. After accepting the certificate, close the tab and return to the **Images** page. The upload controls should now be active.

For detailed steps for each browser, see [Accept Certificate Authority](/private-cloud-director/getting-started/accept-certificate-authority.md).

{% hint style="info" %}
**Certificate acceptance is per browser and per machine**

Each browser on each machine must accept the certificate separately. If a team member on a different workstation reports upload issues after you have already accepted the certificate, they must repeat these steps in their own browser.
{% endhint %}

### CLI Uploads (SaaS)

When using the `pcdctl` CLI to upload images in a SaaS deployment, include the `--insecure` flag to bypass certificate verification for the Image Library endpoint:

```bash
pcdctl image create --insecure --container-format bare --disk-format qcow2 \
  --file <image-file-path> <image-name>
```

This flag applies to the image endpoint only. It does not affect Identity Service authentication.

### Management-Plane Certificate Changes (SaaS)

{% hint style="warning" %}
**SaaS deployments only**

In SaaS deployments, Platform9 manages the management-plane certificates. You cannot modify these certificates directly. If you need a custom or CA-signed certificate for the Image Library Service endpoint in a SaaS deployment, contact [Platform9 Support](https://support.platform9.com/).
{% endhint %}

## Self-Hosted Deployments

In Self-Hosted deployments, you have full control over management-plane certificates and can supply a custom certificate.

### Accept the Default Self-Signed Certificate

If you are using the default self-signed certificate generated during installation, follow the same browser-acceptance steps as for SaaS deployments (see above). This is the quickest path for small or evaluation deployments.

For CLI uploads, use the `--insecure` flag with `pcdctl image create` as shown in the SaaS section above.

### Configure a Custom Certificate

{% hint style="info" %}
**Self-Hosted deployments only**

The steps in this section apply only to Self-Hosted <code class="expression">space.vars.self\_hosted\_product\_name</code>. In SaaS deployments, contact Platform9 Support for certificate changes.
{% endhint %}

To replace the default self-signed certificate with a CA-signed or custom certificate, use the `airctl renew-certs` command. This updates the management-plane certificate, which is then used by the Image Library Service and other services.

For full instructions, see [Using Custom Certificates](/private-cloud-director/getting-started/self-hosted/using-custom-certificates.md).

After applying a new certificate, verify that the Image Library Service endpoint is reachable:

```bash
curl -s https://<IMAGE_LIBRARY_HOST_FQDN>:9292/
```

If you configured a CA-signed certificate, this request should succeed without the `-k` flag. If it returns a certificate error, confirm that the certificate's Subject Alternative Names (SANs) include the Image Library host's FQDN or IP address.

### Verify Certificate Trust After Changes

After updating certificates in a Self-Hosted deployment, restart the Image Library Service on the affected host:

```bash
sudo systemctl restart pf9-glance-api
```

Then re-check the endpoint health and attempt a test upload to confirm the change took effect.

## Troubleshooting Certificate Issues

| Symptom                                                      | Likely Cause                                                           | Resolution                                                             |
| ------------------------------------------------------------ | ---------------------------------------------------------------------- | ---------------------------------------------------------------------- |
| UI upload button is not active; certificate warning shown    | Certificate not accepted in this browser                               | Follow the browser-acceptance steps above.                             |
| `SSL: CERTIFICATE_VERIFY_FAILED` in CLI output               | `--insecure` flag omitted, or a CA-signed cert whose CA is not trusted | Add `--insecure`, or add the CA certificate to the system trust store. |
| Certificate accepted, but upload still blocked               | Browser cached an older, untrusted state                               | Clear the browser cache or retry in a private window.                  |
| Custom certificate applied but endpoint still shows old cert | Service not restarted after cert change                                | Run `sudo systemctl restart pf9-glance-api` on the Image Library host. |

For general Image Library Service health checks, see [Image Library Service Endpoint Health](/private-cloud-director/images-and-image-library/troubleshooting-and-log-files/image-service-troubleshooting-guide.md#image-library-service-endpoint-health).


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.platform9.com/private-cloud-director/images-and-image-library/image-library-certificate-configuration.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.