2

I'm new in docker. I want to add several certificates for Java application inside Docker. I'm using this code in Dockerfile:

RUN keytool -importcert -noprompt -trustcacerts -alias artifactory -file /files/cert.crt -keystore local -storepass changeit

and it works fine, but only for one certificate. How I can add all certificates from /files folder with one line command or in some cycle or maybe with bash file?

UPDATED: I used next bash to add certificates:

for cert in ${tempdir}/*.crt; do
cert2=$(basename $cert)
echo "# ${cert2}" >> ${destdir}/${cert2}
${openssl} x509 -inform der -in ${cert} -outform pem -out ${destdir}/${cert2}
keytool -importcert -noprompt -trustcacerts -alias artifactory -file /${destdir}/${cert2} -keystore local -storepass changeit
done

but got next error: "keytool: command not found". The command keytool works fine when I run it in the docker container.

Valeriy K.
  • 2,616
  • 1
  • 30
  • 53

4 Answers4

3

In dockerfile call bash file:

RUN apk update && apk add bash openssl wget && rm -rf /var/cache/apk/*
COPY getcerts.sh getcerts.sh
RUN chmod +x getcerts.sh && ./getcerts.sh

Bash script:

for cert in ${tempdir}/*.crt; do
keytool -importcert -noprompt -trustcacerts -alias artifactory-${cert2} -file /${destdir}/${cert2} -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit
done
Valeriy K.
  • 2,616
  • 1
  • 30
  • 53
1

you can create a keystore. But it is recommended to use the default KeyStore. default keystore path: <c:\JavaCAPS>\appserver\domains\<MyDomain>\config\keystore.jks

but if you need you can create a keystore.

Generate a Java keystore and key pair

keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks -keysize 2048

Import a root or intermediate CA certificate to an existing Java keystore

keytool -import -trustcacerts -alias root -file Thawte.crt -keystore keystore.jks

Import a signed primary certificate to an existing Java keystore

keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore keystore.jks

Saving a Symmetric Key Programmatically

KeyStore.SecretKeyEntry secret = new KeyStore.SecretKeyEntry(secretKey);
KeyStore.ProtectionParameter password = new KeyStore.PasswordProtection(pwdArray);
ks.setEntry("db-encryption-secret", secret, password);

first parameter is the key alias, second parameter is certificate key and third one is the password.

read more: https://docs.oracle.com/cd/E19509-01/820-3503/ggfen/index.html https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html

Vimukthi
  • 846
  • 6
  • 19
1

I understand, that you want to automate the import of multiple certificates. You can do so by looping over the files with bash.

As here described, you can search for files via find an then process the result.

How to loop through file names returned by find?

To do so you could code your keytool command in it's own bash script and send the result of the find command them to your script, with something like

find . -name *.crt -print0 | xargs -0 myImportScript.sh

If you have that accomplished you can make the import script available, e.g. via a symlink, and let docker RUN the command above.

Guardian667
  • 417
  • 4
  • 16
0

Download the certificate

echo | openssl s_client -servername NAME -connect www.google.com:443 |\
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > gcert.crt

Copy to Docker:

docker cp SRC_PATH CONTAINER:DEST_PATH

Import to Java keystore:

keytool -import -alias www.google.com -file CERT_FILE_PATH -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -trustcacerts

For complete steps, refer: http://muralitechblog.com/import-ssl-certificate-into-java-keystore/

Muralidharan.rade
  • 2,226
  • 1
  • 24
  • 34