---
title: "Onboarding Cluster with Custom CA Certs in Nirmata Control Hub"
description: "Guide to Onboard a Cluster with Custom Certs in Nirmata Control Hub"
diataxis: how-to
applies_to:
  product: "nirmata-control-hub"
audience: ["platform-engineer","cluster-admin"]
url: https://docs.nirmata.io/docs/control-hub/how-to/onboarding-cluster-with-custom-certs-in-nch/
---



## Custom Kyverno Configuration for Custom Kubernetes Certificates

This guide walks you through onboarding a cluster in **Nirmata Control Hub** with **Kyverno configured to use custom Kubernetes certificates**, particularly those signed by your internal Certificate Authority (CA).

### 1. Generate or Use CA-Signed Certificates

If using your organization's internal CA, generate/provide certs for `kyverno-svc.kyverno.svc` and `kyverno-cleanup-controller.kyverno.svc`. **Must be CA-signed, not self-signed.**

#### Wildcard Certificates

For wildcard certs (e.g., `*.rancher.test or *.test.aws`), SANs must include `kyverno-svc.kyverno.svc` and `kyverno-cleanup-controller.kyverno.svc`.

### 2. Verify Subject Alternative Names (SANs)

Ensure certs include these SANs **before creating secrets**:

#### For `kyverno-svc`:

- `kyverno-svc`
- `kyverno-svc.kyverno`
- `kyverno-svc.kyverno.svc`

#### For `kyverno-cleanup-controller`:

- `kyverno-cleanup-controller`
- `kyverno-cleanup-controller.kyverno`
- `kyverno-cleanup-controller.kyverno.svc`

Inspect SANs with [Step CLI](https://smallstep.com/docs/step-cli): `step certificate inspect your-admission-cert.crt --short`

### 3. Create Kubernetes Secrets for Kyverno

Create secrets in the `kyverno` namespace (replace `<namespace>`).

####  Admission Controller Secrets

```bash
kubectl create secret tls kyverno-svc.kyverno.svc.kyverno-tls-pair --cert=your-admission-cert.crt --key=your-admission-key.key -n <namespace>
kubectl create secret generic kyverno-svc.kyverno.svc.kyverno-tls-ca --from-file=rootCA.crt=your-ca.crt -n <namespace> 
```text


#### Cleanup Controller Secrets

```bash

kubectl create secret tls kyverno-cleanup-controller.kyverno.svc.kyverno-tls-pair --cert=your-cleanup-cert.crt --key=your-cleanup-key.key -n <namespace>
kubectl create secret generic kyverno-cleanup-controller.kyverno.svc.kyverno-tls-ca --from-file=rootCA.crt=your-ca.crt -n <namespace> 

```


####  Important: Do not rename these secrets.


## Nirmata Enterprise for Kyverno and Operator Installation Guide

Version Details: Nirmata Enterprise for Kyverno: v1.13.4-n4k.nirmata.2 | Nirmata Enterprise for Kyverno Helm Chart: v3.3.9 | Kyverno Operator Helm Chart: v0.5.8

### 1. Overview 

Install Nirmata Enterprise for Kyverno and the Kyverno Operator using Helm. This guide also provides a complete container image list for deployments in air-gapped or private registry environments.

### 2. Install Nirmata Enterprise for Kyverno (Kyverno)

```bash
helm repo add nirmata https://nirmata.github.io/kyverno-charts/
helm repo update nirmata
```

```bash 
helm install kyverno nirmata/kyverno -n kyverno --create-namespace --set features.policyExceptions.namespace="kyverno" --set features.policyExceptions.enabled=true --set admissionController.replicas=3 --version 3.3.9
```

### 3. Install Kyverno Operator

```bash

helm install kyverno-operator nirmata/nirmata-kyverno-operator -n nirmata-system --create-namespace --devel --set enablePolicyset=true --version v0.5.8 --set "policies.policySets=[]" 
```text

### 4. Uninstall & Cleanup

```bash

helm uninstall kyverno -n kyverno
helm uninstall kyverno-operator -n nirmata-system
kubectl delete ns kyverno
kubectl delete ns nirmata-system
```

Remove any persistent CRDs or leftover Kyverno resources if needed.

### 5. Container Image List (For Private Registry Usage)
Ensure these images are in your private registry:

Nirmata Enterprise for Kyverno Images:

```bash 
 reg.nirmata.io/nirmata/kyverno:v1.13.4-n4k.nirmata.2
 reg.nirmata.io/nirmata/kyvernopre:v1.13.4-n4k.nirmata.2
 reg.nirmata.io/nirmata/background-controller:v1.13.4-n4k.nirmata.2
 reg.nirmata.io/nirmata/cleanup-controller:v1.13.4-n4k.nirmata.2
 reg.nirmata.io/nirmata/reports-controller:v1.13.4-n4k.nirmata.2
```

Kyverno Operator Images: 
```bash 
ghcr.io/nirmata/nirmata-kyverno-operator:v0.4.5
```

Nirmata Kube-controller Images: 

```bash 
ghcr.io/nirmata/nirmata-kube-controller:v3.10.5   ghcr.io/nirmata/opentelemetry-collector:0.92.0
```

✅ Tip: Ensure all required images are in the private registry for air-gapped environments.