Certificate
The certificate block selects the trust set that sing-box uses when verifying TLS server certificates. You pick a base store and optionally extend it with custom certificates from strings, files, or directories.
Options
| Field | Type | Default | Allowed values | Description |
|---|---|---|---|---|
store | string | system | system | mozilla | chrome | none | Which root-CA store to use as the base trust set. `system` reads the OS root store; `mozilla` and `chrome` use bundled snapshots; `none` starts from an empty trust set. |
certificate | badoption.Listable[string] | [] | <PEM block> | Inline list of PEM-encoded certificates appended to the base trust set. |
certificate_path | badoption.Listable[string] | [] | <file path> | List of PEM file paths appended to the base trust set. |
certificate_directory_path | badoption.Listable[string] | [] | <dir path> | List of directories whose .pem/.crt/.cer files are appended to the base trust set. |
Source: option/certificate.go:9-14 · pinned at v1.13.11 (553cfa1)
Example
json
{
"certificate": {
"store": "mozilla",
"certificate_path": ["/etc/ssl/extra/my-corp-root.pem"]
}
}Notes
- An empty / missing
storeis normalized tosystem(option/certificate.go:31-33). - All three "extra" fields are additive — they are merged on top of the base store rather than replacing it. To use a strictly curated trust set, pick
store: "none"and list every certificate explicitly. - Custom inline certificates are useful for self-signed setups; in most production cases prefer pointing at a directory or file path so the trust set can be rotated without changing the config.
Source: option/certificate.go:9-14 · v1.13.11 (553cfa1)