Basically a nice way to manage internal CA chains on Centos/Rocky/Redhat, hopefully similar to Debian like systems.
So I know that when it comes to Debian like systems we can do this to add a custom root CA into the OS' trust store,
so things like curl will trust it, but it also enables the JRE to also trust it too via helper scripts.
FROM openjdk:11-jre-slim
ADD ssl/ROOTCA.pem /usr/local/share/ca-certificates/ROOTCA.crt
RUN update-ca-certificatesIts just a matter of working out what the Centos/Redhat/Rocky folders and scripts are called.
So the proof looks like this, to generate a self signed certificate and import it, which should enable it to preserve between updates.
FROM rockylinux:9
# Install the JRE and JDK
RUN dnf -y update && \
dnf -y install java-17-openjdk java-17-openjdk-devel
# Create an example certificate to trust
RUN openssl req -nodes -new -x509 -keyout test.baconi.co.uk.key -out test.baconi.co.uk.crt -subj '/C=GB/L=Sheffield/O=Baconi/CN=test.baconi.co.uk' && \
cp -av test.baconi.co.uk.crt /etc/pki/ca-trust/source/anchors/test.baconi.co.uk.crt
# Import the certificate into the OS level trust store
RUN update-ca-trust
# Verify the Java trust store is updated
RUN keytool -list -cacerts -storepass changeit | grep baconiCan be tested using the companion Dockerfile by
docker build --progress plain .Which will looks like this
#6 [3/5] RUN openssl req -nodes -new -x509 -keyout test.baconi.co.uk.key -out test.baconi.co.uk.crt -subj '/C=GB/L=Sheffield/O=Baconi/CN=test.baconi.co.uk' && cp -av test.baconi.co.uk.crt /etc/pki/ca-trust/source/anchors/test.baconi.co.uk.crt
#6 0.433 ...+........+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+..+.+.........+...+...........+.+......+.........+...+...+........+......+.........+....+..+...+......+.......+.....+...+..........+......+...........+....+..............+....+...+..+.+...........+...+...+...+.+......+..+.......+...+..+......+...+....+......+......+.....+................+...+...........+...+.......+...............+.....+.+............+..+......+.............+.................+...+....+......+............+........+......+....+..+.........+.+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
#6 0.679 .+.....+.+........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+......+......+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+.....+................+...+...........+.+...+........+..........+..+......+.+......+.........+......+..+..........+...........+....+..+.+...+..+...........................+......+.+.....+.........+.+.....+...+.+..+.........+......+...+...................+.....+...+............+......+.+...+......+..+.........+...+......+......+.+.....+..........+.....+..........+...+.........+..+.+.....+............+.+......+......+..+.+.....+.+...+..+...+............+.+........+.+.....+.+.......................+......+...+..........+........+............+.+.........+......+......+........+...+..........+.....+....+.....+.........+....+..+......+.........+...+.+..+....+...+...+.....+...+..........+.....+.........+..........+............+.....+.+...+.....+.......+.........+..............................+...+..+.+..............+...+...+.......+........+....+...+..+..................+.+...........+...................+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
#6 1.118 -----
#6 1.123 'test.baconi.co.uk.crt' -> '/etc/pki/ca-trust/source/anchors/test.baconi.co.uk.crt'
#6 DONE 1.1s
#7 [4/5] RUN update-ca-trust
#7 DONE 1.2s
#8 [5/5] RUN keytool -list -cacerts -storepass changeit | grep baconi
#8 0.846 test.baconi.co.uk, Aug 30, 2023, trustedCertEntry,
#8 DONE 0.9s