You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
the root certificates are fixed at image build time [...] when the defaults need to be changed, these system properties must be provided at image build time
But trust settings can be environmental. Examples:
A corporate proxy may do MITM inspection of HTTPS traffic and re-sign with an organizational CA
An organizational CA may be used on-premise
An OpenShift cluster can provide service certificate with its own internal CA
Making this a build-time-only option limits the ability of Quarkus apps to connect to services whose certificates are signed by an environment-specific CA.
It would be helpful if operators could provide an environmental trust store at runtime.
Ideally PEM files could be trusted directly to avoid the need to use keytool at runtime. PEM files can come from a number of sources, especially within OpenShift:
A runtime option to load trusted CAs from multiple PEM files would greatly ease Quarkus' use in environments where custom CA settings are a requirement.
Implementation ideas
No response
The text was updated successfully, but these errors were encountered:
sberyozkin
changed the title
llow trusted certificates to be specified at runtime by keystore and multiple PEM files
Allow trusted certificates to be specified at runtime by keystore and multiple PEM files
Oct 7, 2021
We would need to check again, but initially it was the graalvm way.
With most of the I/O using Vert.x we should be able to configure each client/server with the external certs. However we would need to check with extensions using a different model.
Do you have an update on this? We would like to be able to add ca-bundles at runtime, since we deploy our applications at multiple cusotmers and they all require communication over HTTPS, so adding ca bundles at build time is not really viable.
Description
According to https://quarkus.io/guides/native-and-ssl#the-truststore-path,
But trust settings can be environmental. Examples:
Making this a build-time-only option limits the ability of Quarkus apps to connect to services whose certificates are signed by an environment-specific CA.
It would be helpful if operators could provide an environmental trust store at runtime.
Ideally PEM files could be trusted directly to avoid the need to use keytool at runtime. PEM files can come from a number of sources, especially within OpenShift:
A runtime option to load trusted CAs from multiple PEM files would greatly ease Quarkus' use in environments where custom CA settings are a requirement.
Implementation ideas
No response
The text was updated successfully, but these errors were encountered: