Add California's Certificate Authority to Java's Key Store

[victor-chaparro]

Problem statement

As part of onboarding CA as a REST receiver we need to import their Certificate Authority to Java's key store.

What you need to know

We were to able to import it locally by running this command: keytool -cacerts -storepass changeit -noprompt -trustcacerts -importcert -alias ldapcert -file ldap.cer

We need a way to import the Certificate Authority into Azure. The only way we've found to do that is by running the above command in the Dockerfile this way:

COPY ldap.cer $JAVA_HOME/conf/security
RUN \
    cd $JAVA_HOME/conf/security \
    && keytool -cacerts -storepass changeit -noprompt -trustcacerts -importcert -alias ldapcert -file ldap.cer

If running it this way, we would need to figure out a place where we can securely store the certificate and have docker pick it up from thee.

Acceptance criteria

• [ ] California's Certificate Authority is imported into Java's key store in Azure

[chris-kuryak]

For reference: We cannot meet our requirements with CA until this is completed. We are in active conversations with them, so I put this at medium priority for the engagement team.

[dkrylovsb]

Hi @victor-chaparro @chris-kuryak! A receiver-specific certificate is really a configuration item, and does not truly belong in a Docker image, i.e. baking it into the Dockerfile isn't the best design. A better design, imho, would be to pass the cert to the application container as a config parameter, and have the container execute Java code to add the cert to the trust store at runtime (there are plenty of StackOverflow examples showing how to do so).

So we think the right way to go would be to take this ticket to the engineers first for an implementation of such code, and we can work on passing the parameter you need. Happy to discuss.