From bd0a8c14625a3173427bacb3291bc63eae9d1620 Mon Sep 17 00:00:00 2001 From: "Carl J. Mosca" Date: Wed, 3 Aug 2022 06:47:02 -0400 Subject: added docs for installing certficate authority Co-authored-by: Tom Sweeney Signed-off-by: Carl J. Mosca --- .../podman-install-certificate-authority.md | 102 +++++++++++++++++++++ 1 file changed, 102 insertions(+) create mode 100644 docs/tutorials/podman-install-certificate-authority.md (limited to 'docs/tutorials/podman-install-certificate-authority.md') diff --git a/docs/tutorials/podman-install-certificate-authority.md b/docs/tutorials/podman-install-certificate-authority.md new file mode 100644 index 000000000..bcd3056ba --- /dev/null +++ b/docs/tutorials/podman-install-certificate-authority.md @@ -0,0 +1,102 @@ +![PODMAN logo](../../logo/podman-logo-source.svg) + +Install Certificate Authority +============================= + +Organizations may create their own local certificate authority (CA) or acquire one from a third party. This may mean more than one certificate, such as one or more intermediate certificates and a root certificate, for example. In any case, it is necessary to add the certificate authority (CA) certificate(s) so that it can be employed for various use cases. + +### Method one + +Certificates may be either individual or concatenated (bundles). The following steps are one method to add such certificates to Podman. It is assumed that Podman is running and the certificate(s) to be installed are available on an accessible server via curl. If such access is not possible, an alternative method follows. + +First, assuming a running Podman machine, ssh into the machine: +``` +podman machine ssh +``` + +If Podman is running in the default rootless mode, an additional command is required to get to a root shell: + +``` +[core@localhost ~]$ sudo su - +``` + +After issuing the above command, the prompt should change to indicate the "root" instead of the "core" user. + +Next, while in the machine, change to the directory where the certificate(s) should be installed: +``` +[root@localhost ~]# cd /etc/pki/ca-trust/source/anchors +``` + +Then use curl to download the certificate. Notes: +* The -k is only necessary if connecting securely to a server for which the certificate is not yet trusted +* The MY-SERVER.COM/SOME-CERTIFICATE.pem should be replaced as appropriate +``` +[root@localhost anchors]# curl -k -o some-certificate.pem https://MY-SERVER.COM/SOME-CERTIFICATE.pem +``` + +Repeat as necessary for multiple certificates. + +Once all of the certificates have been downloaded, run the command to add the certificates to the list of trusted CAs: +``` +[root@localhost anchors]# update-ca-trust +``` + +Exit the machine: +``` +[root@localhost anchors]# exit +``` + +If the "sudo su -" command was used to switch to a root shell as described above, an additional exit command is needed to exit the machine: + +``` +[core@localhost ~]$ exit +``` + +### Alternative Method + +If the above method is for some reason not practical or desirable, the certificate may be created using vi. + +As above, assuming a running Podman machine, ssh into the machine: + +``` +podman machine ssh +``` + +If the prompt starts with "core" instead of "root", switch to a root shell: + +``` +[core@localhost ~]$ sudo su - +``` + +Next, change to the directory where the certificate(s) should be installed: +``` +[root@localhost ~]# cd /etc/pki/ca-trust/source/anchors +``` + +Then use vi to create the certificate. +``` +[root@localhost ~]# vi SOME-CERTIFICATE.pem +``` +After vi opens, copy the certificate to the clipboard, then in insert mode, paste the clipboard contents to vi. Lastly, save the file and close vi. + +Repeat as necessary for multiple certificates. + +Once all of the certificates have been created, run the command to add the certificates to the list of trusted CAs: +``` +[root@localhost anchors]# update-ca-trust +``` + +Exit the machine: +``` +[root@localhost anchors]# exit +``` + +If the "sudo su -" command described above was used, an additional exit command is needed: + +``` +[core@localhost ~]$ exit +``` + +### Final Notes + +The certificate installation will persist during machine restarts. There is no need to stop and start the machine to begin using the certificate. -- cgit v1.2.3-54-g00ecf