11. Adding Trusted CA in containers - SMART2016/containerization GitHub Wiki
How to Ensure Trusted CA Certificates are Already in Your Container
Yes, you can add trusted CA certificates in your container during the image build process. This ensures that any image signed with a trusted CA (e.g., Let’s Encrypt, Sigstore Fulcio, an enterprise CA) can be verified automatically inside the container.
1️⃣ How CA Certificates Work in a Container
Most Linux-based container images include a default set of trusted CA certificates, typically located in:
- Alpine Linux:
/etc/ssl/certs/ca-certificates.crt - Debian/Ubuntu:
/etc/ssl/certs/ - Red Hat/CentOS:
/etc/pki/ca-trust/extracted/pem/
If your signing CA (e.g., Sigstore Fulcio) is already included in these default certificates, then your container already trusts the public key for verification.
🚀 If your CA is NOT included by default, you need to manually add it.
2️⃣ Checking If a CA is Already Trusted
Before manually adding a CA, check if it's already in your container.
Inside the Container, Run:
openssl s_client -connect fulcio.sigstore.dev:443 -showcerts
or
cat /etc/ssl/certs/ca-certificates.crt | grep "Sigstore"
If your CA is found, then your container already trusts it, and you don’t need to add it.
3️⃣ Manually Adding a Trusted CA to Your Container
If your CA is missing, follow these steps to manually add it during the Docker build.
🛠️ Method 1: Add a Custom CA in Alpine Linux
In Alpine-based images, install the ca-certificates package and copy your custom CA.
FROM alpine:latest
# Install CA certificates package
RUN apk add --no-cache ca-certificates
# Copy the custom CA file into trusted certs
COPY my-trusted-ca.crt /usr/local/share/ca-certificates/
# Update CA trust store
RUN update-ca-certificates
✅ Now, your container trusts your CA.
🛠️ Method 2: Add a Custom CA in Debian/Ubuntu
For Debian/Ubuntu-based containers, use the following approach:
FROM debian:latest
# Install CA certificates package
RUN apt-get update && apt-get install -y ca-certificates
# Copy the custom CA certificate
COPY my-trusted-ca.crt /usr/local/share/ca-certificates/my-ca.crt
# Update CA trust
RUN update-ca-certificates
✅ Your CA is now trusted inside the container.
🛠️ Method 3: Add a Custom CA in RedHat/CentOS
For RedHat-based containers:
FROM centos:latest
# Install CA certificates package
RUN yum install -y ca-certificates
# Copy the CA file
COPY my-trusted-ca.crt /etc/pki/ca-trust/source/anchors/
# Update CA trust
RUN update-ca-trust
✅ Your custom CA is now installed and trusted.
4️⃣ Automatically Using the Latest CA Certificates
If you want your container to always have the latest trusted CA certificates, include:
RUN update-ca-certificates || update-ca-trust
This ensures all system-installed CAs are kept up to date.
5️⃣ Verifying the CA is Installed
After building the container, verify that the CA is trusted:
docker run --rm my-container:latest openssl s_client -connect fulcio.sigstore.dev:443 -showcerts
If no errors appear, your CA is correctly installed. 🚀
6️⃣ Summary: How to Ensure Trusted CA Certs are in Your Container
| Method | Best For | Command |
|---|---|---|
| Default CAs (pre-installed) | ✅ If your CA is already trusted | cat /etc/ssl/certs/ca-certificates.crt |
| Alpine-based containers | 🟢 Best for small images | apk add ca-certificates && update-ca-certificates |
| Debian/Ubuntu-based containers | 🟢 Best for general use | apt-get install ca-certificates && update-ca-certificates |
| RedHat/CentOS-based containers | 🟡 Best for enterprise images | yum install ca-certificates && update-ca-trust |