Add instructions for self signed certicate #618
Conversation
|
Hi @velo , thanks for writing up this extensive documentation! We'll take a look at this soon :) |
What password? Not sure what you mean. |
|
Default password for Java keystore, that is "changeit". I think it should be in document. |
|
Mine was not password protected, which step was that? |
|
At the end of step one it can mentioned, that
|
|
To help with the confusion about the password protection of cacerts: Since version 5.2 KeyStore Explorer automatically tries to open cacerts with the default password ("changeit"). It only prompts for a password if this fails. |
There was a problem hiding this comment.
Thanks @velo for this contribution! I made a couple of suggestions.
docs/self_sign_cert.md
Outdated
| @@ -0,0 +1,51 @@ | |||
| # Accessing private docker registry with self signed certificate | |||
|
|
|||
| Currently, `jib` do not support docker registries with self signed `https` certificate. | |||
There was a problem hiding this comment.
do not -> does not
self signed certificate -> self-signed certificates
docs/self_sign_cert.md
Outdated
|
|
||
| ## Using KeyStore Explorer | ||
|
|
||
| The easiest way to import the self signed certificate into jvm is using the [KeyStore Explorer](http://keystore-explorer.org/). |
There was a problem hiding this comment.
the self signed -> a self-signed
jvm -> JVM
docs/self_sign_cert.md
Outdated
|
|
||
| Currently, `jib` do not support docker registries with self signed `https` certificate. | ||
|
|
||
| The only way to get `jib` working is to import the self signed certificate into jvm `CA Certificates Keystore`. |
There was a problem hiding this comment.
How about:
Jib uses the JRE's list of approved CA Certificates to validate SSL certificates. The following instructions describe how to add a registry's self-signed certificate to the JRE's approved CAs.
There was a problem hiding this comment.
How about also adding
"The certificate will be trusted at the JRE level, affecting all Java applications running on it. You will also need to re-import the certificate when you use a different JRE or upgrade it."
|
|
||
| ### Import certificate | ||
|
|
||
| * Launch `KeyStore Explorer` |
There was a problem hiding this comment.
My 2¢: it would be easier to have the user use Open an existing KeyStore and navigate to the cacerts file (with default password changeit).
Then there are two approaches:
- if the user has the self-signed certificate, they can import it.
- if they don't have the self-signed certificate, they can import it from the running service with the Examine SSL option. It allows importing the certificate directly into the keystone.
There was a problem hiding this comment.
I guess this import process has multiple possible ways to be done.... I describe the one I used
|
@chanseokoh @briandealwis changes applied |
Create doc with the workaround discuessed on #543 (comment)