Truststore Customization
Customizing Truststore
The default truststore is configured in a script and excuted in the Dockerfile. There is a few different ways the script could be customized.
- Change where the DoD CA zip file are pulled from., defualting to DOD UNCLASS certs but could be updated for local or another source.
- Change the Regex Exclusion Filter, used by the ca-to-jks script to exclude certain certs from being added to the final truststore.
- Change the truststore password
Build test authorized_certs.zip
Utilizing the regenerate-test-pki
task, you can create a test authorized_certs.zip
to use for the truststore.
To use the regenerate-test-pki
task:
-
Create
csr.conf
[req]default_bits = 2048default_keyfile = key.pemdistinguished_name = req_distinguished_namereq_extensions = req_extx509_extensions = v3_ext[req_distinguished_name]countryName = Country Name (2 letter code)countryName_default = USstateOrProvinceName = State or Province Name (full name)stateOrProvinceName_default = ColoradolocalityName = Locality Name (eg, city)localityName_default = Colorado SpringsorganizationName = Organization Name (eg, company)organizationName_default = Defense UnicornscommonName = Common Name (e.g. server FQDN or YOUR name)commonName_default = uds.dev[req_ext]subjectAltName = @alt_names[v3_ext]subjectAltName = @alt_names[alt_names]DNS.0 = *.uds.dev -
Terminal window # Generates new authorized_certs.zipuds run regenerate-test-pki
Update Dockerfile and build image
Update CA_ZIP_URL
in Dockerfile to refer to the generated authorized_certs.zip
ARG CA_ZIP_URL=authorized_certs.zip
Build config image
# build imageuds run dev-build
Configure Istio Gateways CACERT in UDS Core
# In `uds-core` create cacert from the new identity-config imageuds run -f src/keycloak/tasks.yaml cacert --set IMAGE_NAME=<identity config image> --set VERSION=<identity config image version>
# Update tenant and admin gateway with generated cacertsuds run -f src/keycloak/tasks.yaml dev-cacert
Deploy UDS Core with new uds-identity-config
See Testing custom image in UDS Core
Verify Istio Gateway configuration
# Verify the "Acceptable client certificate CA names"openssl s_client -connect sso.uds.dev:443