Open amouat opened 3 months ago
I know of 4 keystores:
See
$ curl -s http://archive.ubuntu.com/ubuntu/dists/oracular/Contents-amd64.gz | gzip -d | grep etc/ca-certificates/update.d
etc/ca-certificates/update.d/jks-keystore misc/ca-certificates-java
etc/ca-certificates/update.d/mono-keystore universe/cli-mono/ca-certificates-mono
For the java & mono keystores, and ca-certificates itself handles the mega bundle & symlinks.
Wildcards:
Thanks @xnox !
At Smallstep we have a package for interacting with (some of) those stores: https://github.com/smallstep/truststore. It's based on mkcert, but adapted for use as a library. It might be useful for this use case. If you miss functionality, we can likely add it 🙂
Oh, nice! Thanks @hslatman.
Just to be clear, this is a "backlog" issue, I'm not sure when we'll be able to prioritise it. That being said, if anyone reads this and needs this functionality, please comment or leave an emoji.
+1 this feature.
@amouat @pnasrat also for java, i think we may need more that one type of java keystore. As I think jdk & jdk-fips images expect keytool certs in different store types possibly?
I.e. keytool -importcert -v -trustcacerts -file "cacert.pem" -alias ca -keystore "mySrvTruststore.bks" -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath "bcprov-jdk16-145.jar" -storetype BKS -storepass testtest
Possibly nss-db certs too in the future, to basically have equivalent of cert store procedures that others do by hand for other container types.
Note that eclipse-temurin java image has hooks to allow on-the-fly creation of the java truststore with injected certs.
See implementation at
I guess we could do something similar in our images entrypoint too, to be compatible.
Also note this issue on adoptium about handling certs: https://github.com/adoptium/containers/issues/573
To add certificates to a Java image you need to use "keytool" e.g:
There are probably other platforms with similar bespoke solutions. In these cases we could add a flag (e.g.
--add-java-cert
) or try to detect if a Java image was being used.