Home > OS >  Access certificate inside image
Access certificate inside image

Time:08-14

I'm developing a NetCore webapi that use a certificate to call an external service, is working fine on windows, but with a docker image on Linux it can't find the certificate.

The image is built using:

FROM mcr.microsoft.com/dotnet/aspnet:5.0
WORKDIR /app
EXPOSE 80

# Copy csproj and restore as distinct layers
COPY "bin/Release/net5.0/linux-x64" ./

# set noninteractive installation
ENV DEBIAN_FRONTEND=noninteractive

COPY MyCertificate.crt /usr/local/share/ca-certificates/MyCertificate.crt
RUN update-ca-certificates

ENTRYPOINT ["dotnet", "MyApp.dll"]

the output is ok:

Step 10/12 : COPY MyCertificate.crt /usr/local/share/ca-certificates/MyCertificate.crt
 ---> bfea272fa88d
Step 11/12 : RUN update-ca-certificates
 ---> Running in 4c3844714aea
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

but when I run for example or search the cert by thumbprint I can't find it:

    X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);

    store.Open(OpenFlags.ReadOnly);

    var certs = new StringBuilder();
    foreach (X509Certificate2 certificate in store.Certificates)
    {
        certs.Append(certificate.Thumbprint);
    }

CodePudding user response:

COPY MyCertificate.crt /usr/local/share/ca-certificates/MyCertificate.crt
RUN update-ca-certificates

This registers your certificate as a trusted root authority (or, if it's not self-signed, makes it just "an intermediate CA that we know about") for the machine scope, so you would see the certificate in LocalMachine\Root (or LocalMachine\CertificateAuthority).

The CurrentUser\My store has no supported copy commands, you can only insert into it by opening an X509Store instance with Write permissions and using X509Store.Add. So you need to copy it into your Docker image as "just a file" and then open it as just a file, e.g. new X509Certificate2(pathToWhereYouPutIt)

  • Related