Self Signed Certificates

This tutorial requires a Vault-CRD Version newer then 1.4.3

To use self signed certificates it's required to add to the main cacerts keystore the self signed certificate or the better solution is to add the root certificate of the self signed certificate.

For security reasons, I will not provide a way to ignore invalid certificates.

To build a Docker Image that contains a Self Signed Certificate we will use a Docker Image Pipeline. This Pipeline will take the default cacerts file from openjdk:8, add our self-signed certificate and afterwards add this certificate to our cacerts keystore.

FROM openjdk:8 AS BUILD

COPY cert.pem /additional_certs/cert.pem
RUN yes | keytool -importcert -alias selfsignedroot -keystore /usr/local/openjdk-8/jre/lib/security/cacerts -storepass changeit -file /additional_certs/cert.pem

The last step is to add the edited cacerts keystore to vault-crd. Please replace in the FROM section the Docker Image Tag with the version you are planning to use:

FROM daspawnw/vault-crd:1.5.0

COPY --from=BUILD /usr/local/openjdk-8/jre/lib/security/cacerts /etc/ssl/certs/java/cacerts

Here the full example

FROM openjdk:8 AS BUILD

COPY cert.pem /additional_certs/cert.pem
RUN yes | keytool -importcert -alias selfsignedroot -keystore /usr/local/openjdk-8/jre/lib/security/cacerts -storepass changeit -file /additional_certs/cert.pem

FROM daspawnw/vault-crd:1.4.3

COPY --from=BUILD /usr/local/openjdk-8/jre/lib/security/cacerts /etc/ssl/certs/java/cacerts

PreviousInstall Vault-CRD NextEnable Admission Webhook

Last updated 3 years ago