<!--IssueSummary start--> <details> <summary> Everyone can contribute. [Help move this issue forward](https://handbook.gitlab.com/handbook/marketing/developer-relations/contributor-success/community-contributors-workflows/#contributor-links) while earning points, leveling up and collecting rewards. </summary> - [Close this issue](https://contributors.gitlab.com/manage-issue?action=close&projectId=278964&issueIid=340678) </details> <!--IssueSummary end--> <!-- This issue template can be used a great starting point for feature requests. The last section "Release notes" can be used as a summary of the feature and is also required if you want to have your release post blog MR auto generated using the release post item generator: https://about.gitlab.com/handbook/marketing/blog/release-posts/#release-post-item-generator. The remaining sections are the backbone for every feature in GitLab. --> ### Release notes <!-- What is the problem and solution you're proposing? This content sets the overall vision for the feature and serves as the release notes that will populate in various places, including the [release post blog](https://about.gitlab.com/releases/categories/releases/) and [Gitlab project releases](https://gitlab.com/gitlab-org/gitlab/-/releases). " --> <TBD after direction is decided, see proposals below> ### Problem to solve <!-- What is the user problem you are trying to solve with this issue? --> GitLab supports use of X.509 user certificates to sign commits. However, this requires that GitLab as an instance trusts the certificate's chain at the instance level (not configurable per-group). On GitLab.com the instance level configuration is unavailable to users. For customers that use an internal CA customizing the trusted cert chains on GitLab.com deployment isn't an option (administration isn't permitted). ### Proposal <!-- Use this section to explain the feature and how it will work. It can be helpful to add technical details, design proposals, and links to related epics or issues. --> For GitLab.com (SaaS) we'll need to either: 1. Offer a way to support and manage custom internal CAs at group/namespace levels (or,) 2. Document limitations and disable X.509 support for GitLab.com users, offering only GPG as an option