Installing CA Root certificate in Managed DevOps Pool trusted Store

Question

Installing CA Root certificate in Managed DevOps Pool trusted Store

Akansha Jain (Consultant) 0

Hi,

I am trying to install CA root certificates in Ubuntu Managed DevOps Pool. My certificate is stored as .pem file in key vault secrets.

I don't have any private key for my certificate and I am using Azure ubuntu image.

I am creating MDP using terraform and its working fine and in MDP configuration also I can see the certificate details.

But when I am running script to check the certificates in agents via Azure Pipelines, its not showing and no errors also.

secretsManagementSettings": {
                    "certificateStoreLocation": "LocalMachine",
                    "observedCertificates": [
                        "https://<keyvault>.vault.azure.net/secrets/ROOT-CA"
                    ],
                    "keyExportable": false
                },
                "logonType": "Service"

sudo find / -type f ( -name ".crt" -o -name ".cer" -o -name "*.pem" ) 2>/dev/null | while read f; do openssl x509 -in "$f" -noout -subject 2>/dev/null done | grep -i "Root CA"

Can anyone suggest, what I can do?

Akansha Jain (Consultant) 0

I am creating via terraform with this code

security {
    key_vault_management {
      key_vault_certificate_ids  = var.key_vault_certificates
      certificate_store_name     = "Root"
      certificate_store_location = "LocalMachine"
      key_export_enabled         = false
    }
  }

Siddhesh Desai 7,560 Reputation points Microsoft External Staff Moderator

2026-06-22T08:55:05.8366667+00:00
Hi @Akansha Jain (Consultant)

Thank you for reaching out to Microsoft Q&A.

Based on the configuration and behavior you've described, the most likely issue is that you're using a Linux/Ubuntu Managed DevOps Pool while configuring the certificate store as LocalMachine, which is a Windows certificate store concept. For Ubuntu agents, certificates are not installed into a Windows-style certificate store. Instead, Managed DevOps Pools uses the Key Vault integration to download the certificate as a PEM file into a Linux filesystem location. If certificateStoreLocation is configured incorrectly, the certificate may not be installed where you expect, and your search script will not find it. The recently released trusted-root-certificate support for Managed DevOps Pools relies on the underlying Key Vault VM extension behavior for Linux agents.

Refer below points which may help resolve the issue:

1. Verify the certificate store location for Ubuntu

For Linux agents, use a filesystem path rather than LocalMachine.

Example:

"secretsManagementSettings": { "certificateStoreLocation": "/usr/local/share/ca-certificates", "observedCertificates": [ "https://<keyvault>.vault.azure.net/secrets/ROOT-CA" ], "keyExportable": false }

According to the Managed DevOps Pools trusted certificate implementation, Linux agents store certificates in the specified directory rather than a Windows certificate store.

2. Confirm the Key Vault object type

Ensure that:

The certificate is stored in Azure Key Vault in a format supported by the integration.

The URL in observedCertificates references the correct Key Vault secret/certificate.

The Managed DevOps Pool managed identity has permissions to retrieve the certificate from Key Vault.

3. Check the trusted CA directory directly

Instead of searching the entire filesystem, add a pipeline step such as:

- script: | ls -la /usr/local/share/ca-certificates sudo find /usr/local/share/ca-certificates -type f displayName: 'Check trusted certificates'

4. Verify whether the certificate was added to the OS trust store

On Ubuntu:

- script: | sudo ls -l /etc/ssl/certs | grep -i root sudo update-ca-certificates --verbose displayName: 'Verify certificate trust store'

5. Validate the certificate subject

If the certificate exists, check its subject:

- script: | find /usr/local/share/ca-certificates -name "*.pem" -o -name "*.crt" | while read cert; do echo "=== $cert ===" openssl x509 -in "$cert" -noout -subject done displayName: 'List certificate subjects'

6. Check MDP diagnostic logs

If the certificate still does not appear:

Verify the Managed DevOps Pool resource configuration in Azure Portal.

Check whether the Key Vault integration reports any certificate download errors.

Confirm the pool's managed identity can access the Key Vault secret/certificate.

Akansha Jain (Consultant) 0

Hi @Siddhesh Desai

I have updated the certificateStoreLocation as per linux path and yes my managed identity has permissions for key vault but still getting the same issue

osProfile": {
                "secretsManagementSettings": {
                    "certificateStoreLocation": "/usr/local/share/ca-certificates",
                    "observedCertificates": [
                        "https://<keyvault>.vault.azure.net/secrets/ROOT-CA"
                    ],
                    "keyExportable": false
                },
                "logonType": "Service"
            },

Siddhesh Desai 7,560 Reputation points Microsoft External Staff Moderator

2026-06-23T06:13:13.07+00:00

Hi @Akansha Jain (Consultant)

Can you provide me the information I have asked in the Private chat? I'll escalate this to the backend team

1 answer

Your answer

Akansha Jain (Consultant) 0 Reputation points

2026-06-22T08:35:12.02+00:00

I am creating via terraform with this code

security { key_vault_management { key_vault_certificate_ids = var.key_vault_certificates certificate_store_name = "Root" certificate_store_location = "LocalMachine" key_export_enabled = false } }
Akansha Jain (Consultant) 0 Reputation points

2026-06-22T13:45:14.4533333+00:00

Hi @Siddhesh Desai

I have updated the certificateStoreLocation as per linux path and yes my managed identity has permissions for key vault but still getting the same issue

osProfile": { "secretsManagementSettings": { "certificateStoreLocation": "/usr/local/share/ca-certificates", "observedCertificates": [ "https://<keyvault>.vault.azure.net/secrets/ROOT-CA" ], "keyExportable": false }, "logonType": "Service" },
Siddhesh Desai 7,560 Reputation points Microsoft External Staff Moderator

2026-06-23T06:13:13.07+00:00

Hi @Akansha Jain (Consultant)

Can you provide me the information I have asked in the Private chat? I'll escalate this to the backend team

Answer 1

On Ubuntu agents in a Managed DevOps Pool, certificateStoreLocation must be a filesystem path, not LocalMachine. LocalMachine is only valid for Windows agents.

For Linux/Ubuntu:

Configure the pool to use a Linux path In the Managed DevOps Pool configuration, set certificateStoreLocation to a directory on the Ubuntu agent, for example:
```
   "secretsManagementSettings": {
     "certificateStoreLocation": "/usr/local/share/ca-certificates",
     "observedCertificates": [
       "https://<keyvault>.vault.azure.net/secrets/ROOT-CA"
     ],
     "keyExportable": false
   },
   "logonType": "Service"
```
For Ubuntu, when the path points to the trusted store (for example /usr/local/share/ca-certificates), the certificate is added to that certificate store as root.
Ensure the secret in Key Vault is a certificate The Managed DevOps Pool key vault integration uses the Key Vault VM extension behavior. On Linux, the extension downloads certificates as PEM files into the directory specified by certificateStoreLocation.
Verify on the agent After the pool is updated and an agent is provisioned:
```
   sudo ls -l /usr/local/share/ca-certificates
   sudo grep -i "Root CA" /usr/local/share/ca-certificates/* 2>/dev/null | sed 's/:.*//'
```
If using a different directory (for example /var/lib/waagent/Microsoft.Azure.KeyVault/app1), look there instead.

If both Windows and Linux images are needed and a single certificateStoreLocation cannot satisfy both, split them into separate pools because certificate settings are defined at the pool level.

References:

Share via

Installing CA Root certificate in Managed DevOps Pool trusted Store

1 answer

Your answer