We recently hit the need to install an internal CA on a number of services and I think there are two things which could be improved:
- Use the more common terms “custom certificate authority” and/or “custom CA” in addition to “self-signed” in the documentation to make it easier to find: SonarScanner
- Have a complete example — the Java keytool chain is not well documented and even most Java developers are not especially familiar with it.
I ended up with a minimal Dockerfile but it took a few tries, especially because my first try involved exporting a work cacerts file, which lead to the immediate discovery that the format isn’t portable across JVMs implementing the same version, much less major versions:
FROM sonarsource/sonar-scanner-cli
RUN curl -fsLo /etc/ssl/certs/EXAMPLE-ROOT-CA-1.crt http://ca.example.org/EXAMPLE-ROOT-CA-1.crt
RUN keytool -import -noprompt -alias EXAMPLE-ROOT-CA-1 -file /etc/ssl/certs/EXAMPLE-ROOT-CA-1.crt -storepass changeit -cacerts