Truststore Customization

Customizing Truststore

The default truststore is configured in a script and excuted in the Dockerfile. There is a few different ways the script could be customized.

• Change where the DoD CA zip file are pulled from., defualting to DOD UNCLASS certs but could be updated for local or another source.
• Change the Regex Exclusion Filter, used by the ca-to-jks script to exclude certain certs from being added to the final truststore.
• Change the truststore password

Build test authorized_certs.zip

Utilizing the regenerate-test-pki task, you can create a test authorized_certs.zip to use for the truststore.

To use the regenerate-test-pki task:

• Create csr.conf

  [req]
  default_bits       = 2048
  default_keyfile    = key.pem
  distinguished_name = req_distinguished_name
  req_extensions     = req_ext
  x509_extensions    = v3_ext
  
  [req_distinguished_name]
  countryName                 = Country Name (2 letter code)
  countryName_default         = US
  stateOrProvinceName         = State or Province Name (full name)
  stateOrProvinceName_default = Colorado
  localityName                = Locality Name (eg, city)
  localityName_default        = Colorado Springs
  organizationName            = Organization Name (eg, company)
  organizationName_default    = Defense Unicorns
  commonName                  = Common Name (e.g. server FQDN or YOUR name)
  commonName_default          = uds.dev
  
  [req_ext]
  subjectAltName = @alt_names
  
  [v3_ext]
  subjectAltName = @alt_names
  
  [alt_names]
  DNS.0 = *.uds.dev

•  # Generates new authorized_certs.zip
   uds run regenerate-test-pki

Update Dockerfile and build image

Update CA_ZIP_URL in Dockerfile to refer to the generated authorized_certs.zip

ARG CA_ZIP_URL=authorized_certs.zip

Build config image

# build image
uds run dev-build

Note

If you’re getting errors from the ca-to-jks.sh script, verify your zip folder is in the correct directory.

Configure Istio Gateways CACERT in UDS Core

# In `uds-core` create cacert from the new identity-config image
uds run -f src/keycloak/tasks.yaml cacert --set IMAGE_NAME=<identity config image> --set VERSION=<identity config image version>

# Update tenant and admin gateway with generated cacerts
uds run -f src/keycloak/tasks.yaml dev-cacert

Deploy UDS Core with new uds-identity-config

See Testing custom image in UDS Core

Verify Istio Gateway configuration

# Verify the "Acceptable client certificate CA names"
openssl s_client -connect sso.uds.dev:443