Configure TLS certificates for applications in containers

Application administrators can set up trust for known certificate authorities, provide custom certificates, and provide a custom keystore.

Trusting known certificate authorities automatically

To enable trust certificates from known certificate authorities, set the SEC_TLS_TRUSTDEFAULTCERTS environment variable. If set to true, then the default certificates from the JVM are used in addition to the configured truststore file to establish trust.

Providing custom certificates

We can provide custom PEM certificates by mounting the files into the container. The following files are imported: tls.key, tls.crt, and ca.crt.

Specify the location with the TLS_DIR environment variable. The default location for certificates is /etc/x509/certs/.

The container automatically converts the PEM file and creates a keystore and truststore files (key.p12 and trust.p12).

The container also can import certificates from Kubernetes. To do so, set the SEC_IMPORT_K8S_CERTS environment variable to true and ensure that the /var/run/secrets/kubernetes.io/serviceaccount folder is mounted into the container. The .crt files are imported into the truststore file. The default value for the SEC_IMPORT_K8S_CERTS environment variable is false.

Providing a custom keystore

A custom keystore can be provided during the build phase of the application image by copying the keystore into the image /output/resources/security/key.p12 location.

We must override the keystore password by including your copy of the keystore.xml file inside the /config/configDropins/defaults/ directory.