Use this guide to configure custom TLS certificates in LangSmith. This is required when connecting securely to model providers or external services, especially if you rely on self-signed certificates or internal certificate authorities. This page describes two related tasks:
  • Using custom TLS certificates for model providers (such as Azure, OpenAI, or a custom model server)
  • Mounting internal certificate authorities (CAs) to enable TLS connections for databases and other external services.

Use custom TLS certificates for model providers

This feature is currently only available for the following model providers:These TLS settings will apply to all invocations of the selected model providers including when used through Online Evaluation.
You can use custom TLS certificates to connect to model providers in the LangSmith playground. This is useful if you are using a self-signed certificate, a certificate from a custom certificate authority or mutual TLS authentication. To use custom TLS certificates, you need to set the following environment variables. See the self hosted deployment section for more information on how to set up application configuration.
  • LANGSMITH_PLAYGROUND_TLS_MODEL_PROVIDERS: A comma-separated list of model providers that require custom TLS certificates. Note that azure_openai, openai and custom are currently the only supported model provider that supports custom TLS certificates, but more providers will be supported in the future.
  • LANGSMITH_PLAYGROUND_TLS_CA: The custom certificate authority (CA) certificate in PEM format. This must be a file path (for a mounted volume).
  • [Optional] LANGSMITH_PLAYGROUND_TLS_KEY: The private key in PEM format. This must be a file path (for a mounted volume). This is usually only necessary for mutual TLS authentication.
  • [Optional] LANGSMITH_PLAYGROUND_TLS_CERT: The certificate in PEM format. This must be a file path (for a mounted volume). This is usually only necessary for mutual TLS authentication.
Once you have set these environment variables, enter the LangSmith Playground Settings page and select the Provider that requires custom TLS certificates. Set your model provider configuration as usual, and the custom TLS certificates will be used when connecting to the model provider.

Mount internal CAs for TLS

  1. Create a file containing all CAs required for TLS with databases and external services. If your deployment is communicating directly to beacon.langchain.com without a proxy, make sure to include a public trusted CA. All certs should be concatenated in this file with an empty line in between.
-----BEGIN CERTIFICATE-----
<PUBLIC_CA>
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
<INTERNAL_CA>
-----END CERTIFICATE-----

...
  1. Create a Kubernetes secret with a key containing the contents of this file.
kubectl create secret generic <SECRET_NAME> --from-file=<SECRET_KEY>=<CA_BUNDLE_FILE_PATH> -n <NAMESPACE>
  1. If using custom CA for TLS with your databases and other external services, provide the following values to your LangSmith helm chart:
Helm
config:
  customCa:
    secretName: <SECRET_NAME> # The name of the secret created in step 2.
    secretKey: <SECRET_KEY> # The key in the secret containing the CA bundle.

clickhouse:
  external:
    tls: true # Only enable if you want TLS for Clickhouse.
postgres:
  external:
    customTls: true # Only enable if you want TLS for Postgres.
  1. Make sure to use TLS supported connection strings:
    • Postgres: Add ?sslmode=verify-full&sslrootcert=system to the end.
    • Redis: Use rediss:// instead of redis:// as the prefix.