-
Notifications
You must be signed in to change notification settings - Fork 0
11. Adding Trusted CA in containers
Yes, you can add trusted CA certificates in your container during the image build process. This ensures that any image signed with a trusted CA (e.g., Let’s Encrypt, Sigstore Fulcio, an enterprise CA) can be verified automatically inside the container.
Most Linux-based container images include a default set of trusted CA certificates, typically located in:
-
Alpine Linux:
/etc/ssl/certs/ca-certificates.crt -
Debian/Ubuntu:
/etc/ssl/certs/ -
Red Hat/CentOS:
/etc/pki/ca-trust/extracted/pem/
If your signing CA (e.g., Sigstore Fulcio) is already included in these default certificates, then your container already trusts the public key for verification.
🚀 If your CA is NOT included by default, you need to manually add it.
Before manually adding a CA, check if it's already in your container.
openssl s_client -connect fulcio.sigstore.dev:443 -showcertsor
cat /etc/ssl/certs/ca-certificates.crt | grep "Sigstore"If your CA is found, then your container already trusts it, and you don’t need to add it.
If your CA is missing, follow these steps to manually add it during the Docker build.
In Alpine-based images, install the ca-certificates package and copy your custom CA.
FROM alpine:latest
# Install CA certificates package
RUN apk add --no-cache ca-certificates
# Copy the custom CA file into trusted certs
COPY my-trusted-ca.crt /usr/local/share/ca-certificates/
# Update CA trust store
RUN update-ca-certificates✅ Now, your container trusts your CA.
For Debian/Ubuntu-based containers, use the following approach:
FROM debian:latest
# Install CA certificates package
RUN apt-get update && apt-get install -y ca-certificates
# Copy the custom CA certificate
COPY my-trusted-ca.crt /usr/local/share/ca-certificates/my-ca.crt
# Update CA trust
RUN update-ca-certificates✅ Your CA is now trusted inside the container.
For RedHat-based containers:
FROM centos:latest
# Install CA certificates package
RUN yum install -y ca-certificates
# Copy the CA file
COPY my-trusted-ca.crt /etc/pki/ca-trust/source/anchors/
# Update CA trust
RUN update-ca-trust✅ Your custom CA is now installed and trusted.
If you want your container to always have the latest trusted CA certificates, include:
RUN update-ca-certificates || update-ca-trustThis ensures all system-installed CAs are kept up to date.
After building the container, verify that the CA is trusted:
docker run --rm my-container:latest openssl s_client -connect fulcio.sigstore.dev:443 -showcertsIf no errors appear, your CA is correctly installed. 🚀
| Method | Best For | Command |
|---|---|---|
| Default CAs (pre-installed) | ✅ If your CA is already trusted | cat /etc/ssl/certs/ca-certificates.crt |
| Alpine-based containers | 🟢 Best for small images | apk add ca-certificates && update-ca-certificates |
| Debian/Ubuntu-based containers | 🟢 Best for general use | apt-get install ca-certificates && update-ca-certificates |
| RedHat/CentOS-based containers | 🟡 Best for enterprise images | yum install ca-certificates && update-ca-trust |