Red Hat SummitChapter 3. Secure communication for containerized applications
You can add certificates from your local certificate authority (CA) or from a third-party vendor into a Podman machine. After adding these certificates, you can use them in your images to:
- Secure the communication channel between the running applications in your container and the external host system.
- Validate the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) certificates provided by external services for authentication.
Podman stores certificates in the machine at /etc/pki/ca-trust/source/anchors/, and you can obtain them in various formats:
-
Privacy-Enhanced Mail format (
.pem) -
Certificate file format (
.crt) -
Certificate file format (
.cer)
On Windows, the Podman commands use the CAs from the certificate store. For example, if you are unable to log in to an internal registry because the added certificate was not trusted by Podman, you can add it to the Windows certificate store. This will enable Podman commands to trust the certificate and help you log in to that registry.
3.1. Add certificates to a Podman machine
You can add certificates from a local CA or third-party vendor directly to a running Podman machine. After adding a certificate, a reboot of the Podman machine is required to ensure the changes take effect.
Prerequisites
- You have a running Podman machine.
-
You have obtained the required certificates for installation, such as
certificate.pemorcertificate.crt.
Procedure
Start an interactive session with the default Podman machine:
$ podman machine ssh <machine_name>Optional: If Podman runs in the default rootless mode, switch to a root shell:
$ sudo su -Change to the directory where the certificates must be placed:
$ cd /etc/pki/ca-trust/source/anchorsPerform one of the following steps to obtain the certificate:
Use the
curlcommand to download a certificate:$ curl [-k] -o <my-certificate> https://<my-server.com/my-certificate>Use any editor, such as Notepad or Vim to create a certificate file with
.crt,.cer, or.pemextension.NoteYou can convert a certificate file to a text file and copy its content to the editor.
Add the certificate to the list of trusted certificates:
$ update-ca-trustOptional: To exit the root shell, run the following command:
$ exit-
Run the
exitcommand to exit the Podman machine. To apply your changes, reboot the Podman machine:
$ podman machine stop <machine_name> $ podman machine start <machine_name>
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}