The US DoD (Department of Defense) uses its own root certificate when signing https certificates for its domains. For example, https://www.my.af.mil/ uses such a certificate. These root certificates are not trusted by any (commercial/public) operating system, browser, or other client. Therefore, in order to access these sites and not get an error, the DoD certificates must be trusted.
On Windows, go to DISA’s PKI and PKE Tools page and under “Trust Store” follow the directions for the “InstallRoot X: NIPR Windows Installer”
On Linux, download the certificates from MilitaryCAC’s Linux Information page (direct link to the certificates). Then follow your distribution’s instructions on how to install certificates to the trust store. For example, on Red Hat / CentOS / Fedora / Amazon Linux, copy the certificates to /etc/pki/ca-trust/source/anchors/ then run update-ca-trust. On Debian / Ubuntu and Gentoo, copy the certificates to /usr/local/share/ca-certificates/ then run update-ca-certificates.
On Docker, for a Red Hat / CentOS / Fedora / Amazon Linux (or other Fedora-type system) derived container, add the following to the Dockerfile:
#!/bin/bash
set -e # stop on all errors
RUN yum -y install openssl \
&& CERT_ZIP="$(mktemp)" \
&& CERT_BUNDLE="certificates_pkcs7_v5-6_dod" \
&& curl -sS "https://dl.dod.cyber.mil/wp-content/uploads/pki-pke/zip/${CERT_BUNDLE}.zip" --output "${CERT_ZIP}" \
&& unzip -p "${CERT_ZIP}" "*/*.pem.p7b" | openssl pkcs7 -print_certs -out "/etc/pki/ca-trust/source/anchors/${CERT_BUNDLE}.pem" \
&& rm "${CERT_ZIP}" \
&& update-ca-trust \
&& update-ca-trust force-enable \
&& yum -y remove openssl \
&& rm -rf /var/cache/yum
On AWS Elastic Beanstalk the .ebextensions mechanism can be used. In the jar/war/etc deployment archive, add this file:
.ebextensions/install_dod_certificates.config
packages:
yum:
bash: []
curl: []
openssl: []
unzip: []
files:
"/tmp/install_dod_certificates.sh":
mode: "000755"
owner: root
group: root
content: |
#!/usr/bin/env bash
set -Eeuo pipefail # stop on all errors
CERT_ZIP="$(mktemp)"
CERT_BUNDLE="certificates_pkcs7_v5-6_dod"
curl -sS "https://dl.dod.cyber.mil/wp-content/uploads/pki-pke/zip/${CERT_BUNDLE}.zip" --output "${CERT_ZIP}"
unzip -p "${CERT_ZIP}" "*/*.pem.p7b" | openssl pkcs7 -print_certs -out "/etc/pki/ca-trust/source/anchors/${CERT_BUNDLE}.pem"
update-ca-trust
update-ca-trust force-enable
rm "${CERT_ZIP}"
commands:
01install_dod_certificates:
command: "/tmp/install_dod_certificates.sh"
Trusting DoD Certificates in Docker and Beanstalk by Craig Andrews is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
