Self-Signed-Certificate

Self-signed certificates are public key certificates that are not issued by a certificate authority (CA). You’d use these certificates for development and testing.

Create the certificate

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=your-domain-name Inc./CN=your-domain-name' -keyout your-domain-name.key -out your-domain-name.crt

openssl req -out your-domain-name.csr -newkey rsa:2048 -nodes -keyout your-domain-name.key -subj "/CN=your-domain-name/O=Test SAM from your-domain-name"

openssl x509 -req -days 365 -CA your-domain-name.crt -CAkey your-domain-name.key -set_serial 0 -in your-domain-name.csr -out your-domain-name.crt

Use the certificate in Istio ingress gateway

The secret with certificates must be called istio-ingressgateway-certs, and we have to deploy it to the istio-system namespace. That way, the Istio ingress gateway will load the secret automatically.

kubectl delete secret istio-ingressgateway-certs -n istio-system
kubectl create secret tls istio-ingressgateway-certs -n istio-system --key your-domain-name.key --cert your-domain-name.crt

Update the Gateway resource to use the certificate and private key:

cat <<EOF | kubectl apply -f -
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: public-gateway
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: SIMPLE
      # These are coming from the istio-ingressgateway-certs secret
      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
      privateKey: /etc/istio/ingressgateway-certs/tls.key
    hosts:
    - test.your-domain-name
EOF

How to get your Java app to accept the certificate

Solving Java HTTPS connection with SSL certificate Error:

PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Import the cert to the Java Keystore

sudo keytool -importcert -file your-domain-name.crt -noprompt -alias test.your-domain-name.cert -storepass changeit -keystore $JAVA_HOME/lib/security/cacerts

How to add the certificate to a distroless docker image

The only way I got working was to create a new docker images and on create time run the keytool command.

FROM gcr.io/distroless/java17-debian12:latest

# Create a directory to store the CA certificate
WORKDIR /certs

# Copy your CA certificate into the image
COPY certs/your-domain-name.crt /certs/your-domain-name.crt

RUN [\
 "/usr/lib/jvm/java-17-openjdk-amd64/bin/keytool",\
 "-import",\
 "-trustcacerts",\
 "-cacerts",\
 "-noprompt",\
 "-storepass",\
 "changeit",\
 "-alias",\
 "my",\
 "-file",\
 "/certs/your-domain-name.crt"\
]
SSL  Certificate 
  Modified on Jun 1, 2023