Custom CA Certificates (OpenSSL)
Overview
You can configure OpenSSL-based container images (curl, nginx, etc.) to trust custom Certificate Authority (CA) certificates for TLS connections.
Volume Mount Approach
Use this approach when you only want to trust your own CAs and don’t need or even want the image’s built-in default public certificate bundle. Mount your custom CAs directly to the container’s system trust store path.
Podman Example
podman run --rm \
-v /path/to/ca.crt:/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem:ro,Z \
quay.io/hummingbird/curl https://your-server/
Kubernetes Example
Create a ConfigMap with your CA certificate(s):
apiVersion: v1
kind: ConfigMap
metadata:
name: custom-ca-bundle
data:
tls-ca-bundle.pem: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
... more certificates if needed ...
On OpenShift, the admin may already have added your organization’s CA(s) to the cluster-wide trust store. Then you can build a config.openshift.io/inject-trusted-cabundle labelled ConfigMap with that bundle for you. See the Configuring a custom PKI OpenShift documentation for details.
Mount the ConfigMap to the trust store directory:
apiVersion: v1
kind: Pod
spec:
containers:
- name: app
image: quay.io/hummingbird/curl
volumeMounts:
- name: custom-ca
mountPath: /etc/pki/ca-trust/extracted/pem
readOnly: true
volumes:
- name: custom-ca
configMap:
name: custom-ca-bundle
Derived Image Approach
Use this approach when you need to trust both your custom CA and the image’s builtin default CAs. This creates a new image with a merged trust store with the trust anchor command.
Create a multi-stage Containerfile with your ca.crt in the build context. This example derives from the curl image:
FROM quay.io/hummingbird/curl:latest-builder AS builder
USER root
COPY ca.crt /tmp/
RUN trust anchor /tmp/ca.crt
FROM quay.io/hummingbird/curl:latest
COPY --from=builder /etc/pki /etc/pki
Build and use your custom image:
podman build -t my-curl-with-ca .
podman run --rm my-curl-with-ca https://your-server/