FAQ: Using self-signed certificates
How to use self-signed certificates with Squash Orchestrator?
To use self-signed certificates, you must provide two parameters to the orchestrator's run
command:
- the certificate chain file mounting point on the Squash Orchestrator's docker image;
- the
CURL_CA_BUNDLE
environment variable, which must contain the certificate chain file path on this image.
docker run ... \
-v /path/to/ca_bundle/cert.crt:/etc/squashtf/cert.crt \
-e CURL_CA_BUNDLE=/etc/squashtf/cert.crt \
...
docker run ... ^
-v d:\path\to\ca_bundle\cert.crt:/etc/squashtf/cert.crt ^
-e CURL_CA_BUNDLE=/etc/squashtf/cert.crt ^
...
docker run ... `
-v d:\path\to\ca_bundle\cert.crt:/etc/squashtf/cert.crt `
-e CURL_CA_BUNDLE=/etc/squashtf/cert.crt `
...
How to obtain a certificate chain file from web browser?
To obtain the certificate chain file of a site you want to connect to, you can use a web browser:
Chrome / Edge
- Click on lock icon in the address bar.
- Select "Connection is secure" in the pop-up menu, then select "Certificate is valid" (Chrome) or click on certificate icon (Edge).
- In Certificate viewer, select "Details", then click "Export…".
- Save the certificate file as an encoded certificate chain (Base 64 ASCII).
Firefox
- Click on lock icon in the address bar.
- Select "Connection secure" in the pop-up menu, then select "More information".
- In the pop-up window, select "View certificate".
- A new tab opens. Navigate to "Miscellaneous" section and download PEM (chain) file.
What is the expected structure of the certificate file ?
The certificate file may contain one or more of certificates. In all cases, the first line of a certificate must be -----BEGIN CERTIFICATE-----
and the last one -----END CERTIFICATE-----
:
-----BEGIN CERTIFICATE-----
MIIGNzCCBR+gAwIBAgISBI+KFDQrafK2DRrMrxlY+OzJMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
...
kKsZ2rtL3QPUN+7ByflDjMTnrF0QZdIU70sFWKrOT0Rq0Y26SoS2p3KQzmFlVpza
UZPS19xC8mGhS/o=
-----END CERTIFICATE-----
Squash Orchestrator uses the -----END CERTIFICATE-----
string to identify certificates and import them to the keystore. If the import fails, check that this line is present at the end of each certificate in your file.