Re: Making your landscape trust a certain certificate authority


Daniel Mikusa
 

A couple options...

1.) If you only need the cert for one or a couple apps and / or you don't
want to manage a fork, you can package the CA cert with the application.
Then add a `.profile.d` script [1] that sets up the certificate that you
packaged with the app. I don't have an example off-hand, but the
.profile.d script could call keytool and import your ca cert or just move a
keystore containing your ca cert from the app files and overwrite the JVM
default.

2.) Write your application so that it can utilize it's own truststore.
It's a little more work, but most things that use a truststore in the JVM
allow you to customize the behavior specifying your own truststore. If the
app were to do this, it could then expose a configuration option through
which it's users could set their own truststore. Then users wouldn't need
to depend on what certs are installed by default.

Dan


[1] - https://devcenter.heroku.com/articles/profiled (CF honors them too)

On Tue, Sep 29, 2015 at 4:50 PM, Mathias Essenpreis <esse(a)gmx.de> wrote:

Hi,
we want to make the apps on our landscape trust a certain ca certificate
of a ca we run internally. I came across the instructions on how to do this
for the JRE buildpack:
https://github.com/cloudfoundry/java-buildpack/blob/master/docs/jre-open_jdk_jre.md#custom-ca-certificates

I understand doing this once in the JRE buildpack will directly make all
the java apps that of course need to make use of the JRE buildpack trusting
our internal ca. Is that correct or do I need to change other buildpacks as
well?

However this implies performing a fork of the JRE buildpack. A fork means
that we always need to synchronize manually with the newer versions of the
build pack.

How do you approach this problem in your organization? I suppose you also
have internal certificate authorities that need to be trusted, right?

Also I am asking myself whether there is a way to enhance the default
buildpack allowing an application (instead of the buildpack) to bring their
own, additional certificates?

thx
Mathias

Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.