This document describes the process of installing a certificate inside a Docker container’s trusted root certificate store.
- The first step is to load the .crt file into the container’s file system. Have in mind that .crt is the public part of an SSL certificate. You should never store sensitive information, secrets and passwords alike, in a container or in a source control repository.
- Add the .crt file in the same folder as your Dockerfile
- Make sure the .crt file is included in your build’s output directory (e.g., the ‘bin’ folder). In Visual Studio, you can do this by right-clicking the file and enabling the “Copy to Output Directory” property.
- Add these lines to the bottom of your Dockerfile but before the ENTRYPOINT.
COPY my-cert.crt usr/local/share/ca-certificates/my-cert.crtRUN chmod 644 /usr/local/share/ca-certificates/my-cert.crt && update-ca-certificates
- The COPY statement adds the certificate to the container’s trusted root certificate store which is located in usr/local/share/ca-certificates. If the certificate is not copied or if you get a “file not found” error, make sure the source path is relative to your application’s build context and the target path to the WORKDIR.
- The RUN statement gives read and write access to the owner in the file and updates the trusted certificates.
- Confirm the certificate was successfully installed by inspecting the etc/ssl/certs folder inside of the container. Your certificate should appear here with a .pem extension.
And that’s it! That’s all you should need to install a trusted certificate. You can test if the certificate was configured correctly by curling the target server:
curl --verbose https://<host>:<port>If the connection is successful and verified by the root certificate, you should see a “ssl certificate verify ok” message in the response.
Omar Negron Montero 