Restoring a Backup Doesn't restore custom certs

I want to have a gateway backup that already contains the SSL certificate and pfx keystore with in it. That way I can restore the gateway and it is already provisioned with the correct certificate. In my development setup I am using a python script to generate the root certificate, then make the necessary leaf certificates and keystores. In production there will be a secrets manager.

I found that when I use a bind mounted data directory for the gateway’s and manually copy the cert and keystore in. It works just fine and I can connect the gateways together. When I take a gateway backup. I can see that the ca.crt is located in both config\local\ignition\gateway-network\client\security\pki\trusted\certs\ca.crt and config\local\ignition\gateway-network\server\security\pki\trusted\certs\ca.crt. Additionally, I can see the keystore under config\local\ignition\gateway-network\keystore\metro-keystore.pfx.

When I restore the backup ignition doesn’t restore the certs and it returns to self issued certificates. Why is that?

local configuration is deliberately not part of the gateway backup. It's meant to be for configuration that only makes sense for one particular machine. We have eventual plans for either a new kind of GWBK or a new format or something that will include absolutely everything, but it's an intentional choice that these files aren't in the .gwbk.

Is there an alternative approach to provisioning a gateway with ssl certificates when it loads up? I need to spin up multiple gateways and connect them together. If the local files are not part of the backup, do they still get overwritten when a backup is restored?

To my understanding, no. Whatever is in the local directories is preserved.