forked from containers/podman
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request containers#15173 from carljmosca/main
[CI:DOCS] added docs for installing certificate authority
- Loading branch information
Showing
2 changed files
with
107 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,102 @@ | ||
|  | ||
|
|
||
| Install Certificate Authority | ||
| ============================= | ||
|
|
||
| Organizations may create their own local certificate authority (CA) or acquire one from a third party. This may mean more than one certificate, such as one or more intermediate certificates and a root certificate, for example. In any case, it is necessary to add the certificate authority (CA) certificate(s) so that it can be employed for various use cases. | ||
|
|
||
| ### Method one | ||
|
|
||
| Certificates may be either individual or concatenated (bundles). The following steps are one method to add such certificates to Podman. It is assumed that Podman is running and the certificate(s) to be installed are available on an accessible server via curl. If such access is not possible, an alternative method follows. | ||
|
|
||
| First, assuming a running Podman machine, ssh into the machine: | ||
| ``` | ||
| podman machine ssh | ||
| ``` | ||
|
|
||
| If Podman is running in the default rootless mode, an additional command is required to get to a root shell: | ||
|
|
||
| ``` | ||
| [core@localhost ~]$ sudo su - | ||
| ``` | ||
|
|
||
| After issuing the above command, the prompt should change to indicate the "root" instead of the "core" user. | ||
|
|
||
| Next, while in the machine, change to the directory where the certificate(s) should be installed: | ||
| ``` | ||
| [root@localhost ~]# cd /etc/pki/ca-trust/source/anchors | ||
| ``` | ||
|
|
||
| Then use curl to download the certificate. Notes: | ||
| * The -k is only necessary if connecting securely to a server for which the certificate is not yet trusted | ||
| * The MY-SERVER.COM/SOME-CERTIFICATE.pem should be replaced as appropriate | ||
| ``` | ||
| [root@localhost anchors]# curl -k -o some-certificate.pem https://MY-SERVER.COM/SOME-CERTIFICATE.pem | ||
| ``` | ||
|
|
||
| Repeat as necessary for multiple certificates. | ||
|
|
||
| Once all of the certificates have been downloaded, run the command to add the certificates to the list of trusted CAs: | ||
| ``` | ||
| [root@localhost anchors]# update-ca-trust | ||
| ``` | ||
|
|
||
| Exit the machine: | ||
| ``` | ||
| [root@localhost anchors]# exit | ||
| ``` | ||
|
|
||
| If the "sudo su -" command was used to switch to a root shell as described above, an additional exit command is needed to exit the machine: | ||
|
|
||
| ``` | ||
| [core@localhost ~]$ exit | ||
| ``` | ||
|
|
||
| ### Alternative Method | ||
|
|
||
| If the above method is for some reason not practical or desirable, the certificate may be created using vi. | ||
|
|
||
| As above, assuming a running Podman machine, ssh into the machine: | ||
|
|
||
| ``` | ||
| podman machine ssh | ||
| ``` | ||
|
|
||
| If the prompt starts with "core" instead of "root", switch to a root shell: | ||
|
|
||
| ``` | ||
| [core@localhost ~]$ sudo su - | ||
| ``` | ||
|
|
||
| Next, change to the directory where the certificate(s) should be installed: | ||
| ``` | ||
| [root@localhost ~]# cd /etc/pki/ca-trust/source/anchors | ||
| ``` | ||
|
|
||
| Then use vi to create the certificate. | ||
| ``` | ||
| [root@localhost ~]# vi SOME-CERTIFICATE.pem | ||
| ``` | ||
| After vi opens, copy the certificate to the clipboard, then in insert mode, paste the clipboard contents to vi. Lastly, save the file and close vi. | ||
|
|
||
| Repeat as necessary for multiple certificates. | ||
|
|
||
| Once all of the certificates have been created, run the command to add the certificates to the list of trusted CAs: | ||
| ``` | ||
| [root@localhost anchors]# update-ca-trust | ||
| ``` | ||
|
|
||
| Exit the machine: | ||
| ``` | ||
| [root@localhost anchors]# exit | ||
| ``` | ||
|
|
||
| If the "sudo su -" command described above was used, an additional exit command is needed: | ||
|
|
||
| ``` | ||
| [core@localhost ~]$ exit | ||
| ``` | ||
|
|
||
| ### Final Notes | ||
|
|
||
| The certificate installation will persist during machine restarts. There is no need to stop and start the machine to begin using the certificate. |