Skip to content
Unicorn Delivery Service Unicorn Delivery Service

Truststore Customization

Customizing Truststore

Section titled “Customizing Truststore”

The default truststore is configured in a script and excuted in the Dockerfile. There is a few different ways the script could be customized.

Build test authorized_certs.zip

Section titled “Build test authorized_certs.zip”

Utilizing the regenerate-test-pki task, you can create a test authorized_certs.zip to use for the truststore.

To use the regenerate-test-pki task:

  • Create csr.conf

    Terminal window
    [req]
    default_bits       = 2048
    default_keyfile    = key.pem
    distinguished_name = req_distinguished_name
    req_extensions     = req_ext
    x509_extensions    = v3_ext
    

    [req_distinguished_name]
    countryName                 = Country Name (2 letter code)
    countryName_default         = US
    stateOrProvinceName         = State or Province Name (full name)
    stateOrProvinceName_default = Colorado
    localityName                = Locality Name (eg, city)
    localityName_default        = Colorado Springs
    organizationName            = Organization Name (eg, company)
    organizationName_default    = Defense Unicorns
    commonName                  = Common Name (e.g. server FQDN or YOUR name)
    commonName_default          = uds.dev
    

    [req_ext]
    subjectAltName = @alt_names
    

    [v3_ext]
    subjectAltName = @alt_names
    

    [alt_names]
    DNS.0 = *.uds.dev
  • Terminal window
     # Generates new authorized_certs.zip
     uds run regenerate-test-pki

Update Dockerfile and build image

Section titled “Update Dockerfile and build image”

Update CA_ZIP_URL in Dockerfile to refer to the generated authorized_certs.zip

Terminal window
ARG CA_ZIP_URL=authorized_certs.zip

Build config image

Terminal window
# build image
uds run dev-build

Configure Istio Gateways CACERT in UDS Core

Section titled “Configure Istio Gateways CACERT in UDS Core”

In order to ensure your client certs are requested when deploying UDS Core you will need to override the tls.cacert value for the gateway(s) where you expect client certs to be provided. A values file can be generated from your local image build using the dev-cacert task:

Terminal window
uds run dev-cacert

This task can also be modified locally to point to a different image if you have published a custom build somewhere else. The output of this task will be a values file locally, tls_cacert.yaml, that can be used in your bundle or copied out as needed.

Deploy UDS Core with new uds-identity-config

Section titled “Deploy UDS Core with new uds-identity-config”

See Testing custom image in UDS Core

Verify Istio Gateway configuration

Section titled “Verify Istio Gateway configuration”
Terminal window
# Verify the "Acceptable client certificate CA names"
openssl s_client -connect sso.uds.dev:443
Cookie Settings Privacy Policy