How to add SSL certificates to Tomcat in Docker container? How to add SSL certificates to Tomcat in Docker container? docker docker

How to add SSL certificates to Tomcat in Docker container?


java tomcat ssl docker keystore

You can try importing the certificate into jvm trusted store inside docker.

I've the certs for the remote hosts.

You can use these certificates but in fact you don't need them, you only need the root certificate of the authority that issued the certificates. You can download it from the internet.

Usually they are given in pem format, but you'll need der for jvm.

First you need to convert the certificate:

openssl x509 -in ca.pem -inform pem -out ca.der -outform der

Then install it into jvm keystore:

keytool -importcert -alias startssl -keystore \    $JAVA_HOME/lib/security/cacerts -storepass changeit -file ca.der

This command asks if you really want to add the certificate, you shoudl type "yes".

And all together in a Dockerfile:

FROM tomcat:8.0.47-jre7COPY ca.pem ca.pemRUN openssl x509 -in ca.pem -inform pem -out ca.der -outform derRUN echo yes | keytool -importcert -alias startssl -keystore \    /docker-java-home/jre/lib/security/cacerts -storepass changeit -file ca.der COPY test.war /usr/local/tomcat/webapps/test.warWORKDIR /usr/local/tomcat/webapps

Note: if you already have certificate in der format you don't need openssl call, just copy the certificate directly.

To verify that the certificate is really applied you can run the container, ssh into it 

$ docker exec -it <CONTAINER-ID> bash

and check the keystore:

$ keytool -keystore "/docker-java-home/jre/lib/security/cacerts" -storepass changeit -list | grep <NAME-OF-YOUR-CERT-AUTHORITY>

java tomcat ssl docker keystore

For Java apps in RHEL/Centos images, you can use update-ca-trust, which will update your trust stores for you, from files you place into /etc/pki/ca-trust. It also accepts .pem files directly:

FROM ...USER rootCOPY yourcertificate.pem /etc/pki/ca-trust/source/anchors/yourcertificate.pemRUN update-ca-trust

This will update /etc/pki/java/cacerts for you automatically, so that Java will trust the new certificate.

Or, if your cert is hosted on a web server, then you can use curl to download it instead of copying the file - for example:

RUN curl -k https://badssl.com/certs/ca-untrusted-root.crt -o /etc/pki/ca-trust/source/anchors/ca-untrusted-root.crt && \    update-ca-trust

java tomcat ssl docker keystore

=> Use classpath:/some/location/cerkey.jks in case of Docker location, to refer the docker instance.

=> Use file:/some/location/cerkey.jks in case of host location, where the docker is running.

Hint: Value of server.ssl.key-store

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last