I'm trying to include a company CA in a UBI8/9 based image of OpenLiberty.
COPY --chmod=0644 company-root-ca.pem /etc/pki/ca-trust/source/anchors
RUN update-ca-trust
I verified that the Basic Constraints extension with CA:TRUE is set correct and the CA is successfully added to /etc/pki/ca-trust/extracted/java/cacerts.
However running features.sh from the OpenLiberty ubi image fails with a certificate validation error.
Adding the CA directly to /opt/java/openjdk/jre/lib/security/cacertsworks but it's not recommended.
Are system certificates from /etc/pki/ca-trust/extracted/java/cacerts not automatically added when the java runtime is called? Is there additional configuration to be added I am unaware of?
Additional info:
$ echo $JAVA_HOME
/opt/java/openjdk
$ java -version
openjdk version "1.8.0_402"
IBM Semeru Runtime Open Edition (build 1.8.0_402-b06)
Eclipse OpenJ9 VM (build openj9-0.43.0, JRE 1.8.0 Linux amd64-64-Bit Compressed References 20240131_861 (JIT enabled, AOT enabled)
OpenJ9 - 2c3d78b48
OMR - ea8124dbc
JCL - 0fa9d9c532 based on jdk8u402-b06)
I'm trying to include a company CA in a UBI8/9 based image of OpenLiberty.
I verified that the
Basic Constraintsextension withCA:TRUEis set correct and the CA is successfully added to/etc/pki/ca-trust/extracted/java/cacerts. However running features.sh from the OpenLiberty ubi image fails with a certificate validation error. Adding the CA directly to/opt/java/openjdk/jre/lib/security/cacertsworks but it's not recommended.Are system certificates from
/etc/pki/ca-trust/extracted/java/cacertsnot automatically added when the java runtime is called? Is there additional configuration to be added I am unaware of?Additional info: