gcr.io/distroless/java
How to add custom pki certificate?
Docker distroless image how to add customize certificate to trust store?
6.7k views Asked by ethan At
2
There are 2 answers
0
On
Since this is distroless I don't add them to the system (linux), I add them straight to the java key store.
Here an example of adding Swisssign as certificate authority, otherwise not supported.
It's noteworthy that distroless have already set the password 'changeit' at build time, so don't change it (!) unless you replace the keystore altogether.
FROM gcr.io/distroless/java17:latest
# Adding Swisssign as certificate authority,
# Required by Six
#
# First add the certificates to the location otherwise expected by 'update-ca-certificates'
ADD Gold_G2.ca /usr/local/share/ca-certificates/gold_g2.crt
ADD SwissSign_RSA_TLS_OV_ICA_2021-1.ca /usr/local/share/ca-certificates/swisssign_rsa_tls_ov_ica_2021-1.crt
# However, since this is distroless, instead of 'update-ca-certificates'
# we import immediately into the java keystore
# distroless have set the password 'changeit' on buildtime, so until we create an all new keystore this will be it..
#
RUN [\
"/usr/lib/jvm/java-17-openjdk-amd64/bin/keytool",\
"-import",\
"-trustcacerts",\
"-cacerts",\
"-noprompt",\
"-storepass",\
"changeit",\
"-alias",\
"Swisssign_Gold_CA-G2",\
"-file",\
"/usr/local/share/ca-certificates/gold_g2.crt"\
]
RUN [\
"/usr/lib/jvm/java-17-openjdk-amd64/bin/keytool",\
"-import",\
"-trustcacerts",\
"-cacerts",\
"-noprompt",\
"-storepass",\
"changeit",\
"-alias",\
"Swisssign_RSA_TLS_OV_ICA_2021-1",\
"-file",\
"/usr/local/share/ca-certificates/swisssign_rsa_tls_ov_ica_2021-1.crt"\
]
The distroless images are based on Debian 9, so you can do a multi-stage build and do something like the following: