Chapter 5. Using your own certificate authority bundle
You can bring your organization’s certificate authority (CA) bundle for signing and verifying your build artifacts with Red Hat’s Trusted Artifact Signer (RHTAS) service.
Prerequisites
- Installation of the RHTAS operator running on Red Hat OpenShift Container Platform.
- A running Securesign instance.
- Your CA root certificate.
-
A workstation with the
ocbinary installed.
Procedure
Log in to OpenShift from the command line:
Syntax
oc login --token=TOKEN --server=SERVER_URL_AND_PORT
Example
$ oc login --token=sha256~ZvFDBvoIYAbVECixS4-WmkN4RfnNd8Neh3y1WuiFPXC --server=https://example.com:6443
NoteYou can find your login token and URL for use on the command line from the OpenShift web console. Log in to the OpenShift web console. Click your user name, and click Copy login command. Offer your user name and password again, if asked, and click Display Token to view the command.
Switch to the RHTAS project:
Example
$ oc project trusted-artifact-signer
Create a new ConfigMap by using your organization’s CA root certificate bundle:
Example
$ oc create configmap custom-ca-bundle --from-file=ca-bundle.crt
ImportantThe certificate filename must be
ca-bundle.crt.Open the Securesign resource for editing:
Example
$ oc edit Securesign securesign-sample
Add the
rhtas.redhat.com/trusted-caunder themetadata.annotationssection:Example
apiVersion: rhtas.redhat.com/v1alpha1 kind: Securesign metadata: name: example-instance annotations: rhtas.redhat.com/trusted-ca: custom-ca-bundle spec: ...
- Save, and quit the editor.
Open the Fulcio resource for editing:
Example
$ oc edit Fulcio securesign-sample
Add the
rhtas.redhat.com/trusted-caunder themetadata.annotationssection:Example
apiVersion: rhtas.redhat.com/v1alpha1 kind: Fulcio metadata: name: example-instance annotations: rhtas.redhat.com/trusted-ca: custom-ca-bundle spec: ...- Save, and quit the editor.
- Wait for the RHTAS operator to reconfigure before signing and verifying artifacts.
