AZ AKS Needs to support Larger CAs

[scoronado-usn]

Describe the bug

Sending request in here based on a Support Ticket exchange in the Azure US Government

We are trying to add our Internal Certificate Authority to AKS and, the command fails because we have too many certificates.

scoronado@XXXXXXX:~/Desktop$ az aks update -g $NAME_OF_RG -n $NAME_OF_CLUSTER  --custom-ca-trust-certificates $LARGE_CA_CRT
Only up to 10 new-line separated CAs can be passed, got 49 instead.

As you can tell, our Certificate Authority is very large and we have requirements to connect to different websites that are terminated with the public CA. There are, in fact 49 Certificates inside this file.

scoronado@XXXXXXX:~/Desktop$ grep "BEGIN CERTIFICATE" $LARGE_CA_CERT | wc -l 
49

Related command

az aks update -g $NAME_OF_RG -n $NAME_OF_CLUSTER --custom-ca-trust-certificates $LARGE_CA_CRT

Errors

Only up to 10 new-line separated CAs can be passed, got 49 instead.

Issue script & Debug output

Can't reproduce here

Expected behavior

We expect the cluster to update with all of our certificates.

Environment Summary

azure-cli                         2.76.0

core                              2.76.0
telemetry                          1.1.0

Extensions:
aks-preview                    18.0.0b27

Dependencies:
msal                            1.33.0b1
azure-mgmt-resource               23.3.0

Python location '/opt/az/bin/python3'
Config directory '/home/scoronado/.azure'
Extensions directory '/home/scoronado/.azure/cliextensions'

Python (Linux) 3.12.10 (main, Jul 29 2025, 09:28:48) [GCC 13.3.0]

Legal docs and information: aka.ms/AzureCliLegal

Your CLI is up-to-date.

Additional context

I would prefer to sideload all of the CAs so that we do not have to start manually downloading certs from a different website.

[yonzhan]

Thank you for opening this issue, we will look into it.

[FumingZhang]

@UtheMan could you help assess whether it's possible to increase the limit?

[UtheMan]

Hello, the behavior you are seeing is by design and not related to azure-cli. Limit of 10 CAs passed using the --custom-ca-trust-certificates flag is also enforced by AKS's backend side validation. We limit the amount of CAs that users are allowed to pass using this flag, as all of these CAs are passed alongside provisioning scripts to newly created nodes and there are size constraints for that payload.

Does your environment require all 49 CAs to properly provision nodes? If not, then one approach you could look into is utilizing a self-managed daemonset that will add your CAs to trust stores in your nodes, this article is a good example: https://hypernephelist.com/2021/03/23/kubernetes-containerd-certificate.html

btw - https://github.com/Azure/AKS/issues would probably be a better place for this issue.

[scoronado-usn]

Good Morning,

We limit the amount of CAs that users are allowed to pass using this flag, as all of these CAs are passed alongside provisioning scripts to newly created nodes and there are size constraints for that payload.

This is understandable given what is supported by the AKS backend.

Does your environment require all 49 CAs to properly provision nodes?

Likely not, but it also isn't practical to cherry pick which "public" Root/Intermediate Certificates we are going have the cluster use because internal government sites terminating SSL with the internal CA are going to use intermediates certificates that are derived from these Root CAs.

If this was on a virtual machine running any form of Linux, I can drop a concatenated certificate chain containing the 49 certs into /usr/local/share/ca-certificates and call it a day because I can then programmatically use curl/docker/etc against an internal site. I'm really trying not to add anything extraordinary.

btw - https://github.com/Azure/AKS/issues would probably be a better place for this issue.

Thank you, I will raise this over there.