Trusting DoD Certificates in Docker and Beanstalk

Uncategorized 2 Minutes

The US DoD (Department of Defense) uses its own root certificate when signing https certificates for its domains. For example, https://www.my.af.mil/ uses such a certificate. These root certificates are not trusted by any (commercial/public) operating system, browser, or other client. Therefore, in order to access these sites and not get an error, the DoD certificates must be trusted.

On Windows, go to DISA’s PKI and PKE Tools page and under “Trust Store” follow the directions for the “InstallRoot X: NIPR Windows Installer”

On Linux, download the certificates from MilitaryCAC’s Linux Information page (direct link to the certificates). Then follow your distribution’s instructions on how to install certificates to the trust store. For example, on Red Hat / CentOS / Fedora / Amazon Linux, copy the certificates to /etc/pki/ca-trust/source/anchors/ then run update-ca-trust. On Debian / Ubuntu and Gentoo, copy the certificates to /usr/local/share/ca-certificates/ then run update-ca-certificates.

On Docker, for a Red Hat / CentOS / Fedora / Amazon Linux (or other Fedora-type system) derived container, add the following to the Dockerfile:

#!/bin/bash
set -e # stop on all errors
RUN yum -y install openssl \
&& CERT_ZIP="$(mktemp)" \
&& CERT_BUNDLE="certificates_pkcs7_v5-6_dod" \
&& curl -sS "https://dl.dod.cyber.mil/wp-content/uploads/pki-pke/zip/${CERT_BUNDLE}.zip" --output "${CERT_ZIP}" \
&& unzip -p "${CERT_ZIP}" "*/*.pem.p7b" | openssl pkcs7 -print_certs -out "/etc/pki/ca-trust/source/anchors/${CERT_BUNDLE}.pem" \
&& rm "${CERT_ZIP}" \
&& update-ca-trust \
&& update-ca-trust force-enable \
&& yum -y remove openssl \
&& rm -rf /var/cache/yum

On AWS Elastic Beanstalk the .ebextensions mechanism can be used. In the jar/war/etc deployment archive, add this file:

.ebextensions/install_dod_certificates.config

packages:
  yum:
    bash: []
    curl: []
    openssl: []
    unzip: []
files:
  "/tmp/install_dod_certificates.sh":
    mode: "000755"
    owner: root
    group: root
    content: |
      #!/usr/bin/env bash
      set -Eeuo pipefail # stop on all errors
      CERT_ZIP="$(mktemp)"
      CERT_BUNDLE="certificates_pkcs7_v5-6_dod"
      curl -sS "https://dl.dod.cyber.mil/wp-content/uploads/pki-pke/zip/${CERT_BUNDLE}.zip" --output "${CERT_ZIP}"
      unzip -p "${CERT_ZIP}" "*/*.pem.p7b" | openssl pkcs7 -print_certs -out "/etc/pki/ca-trust/source/anchors/${CERT_BUNDLE}.pem"
      update-ca-trust
      update-ca-trust force-enable
      rm "${CERT_ZIP}"
commands:
  01install_dod_certificates:
    command: "/tmp/install_dod_certificates.sh"

CC BY-SA 4.0 Trusting DoD Certificates in Docker and Beanstalk by Craig Andrews is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Published by Craig Andrews

Published

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.