Skip to content

FAQ: Using self-signed certificates

How to use self-signed certificates with Squash Orchestrator?

To use self-signed certificates, you must provide two parameters to the orchestrator's run command:

  • the certificate chain file mounting point on the Squash Orchestrator's Docker image;
  • the CURL_CA_BUNDLE environment variable, which must contain the certificate chain file path on this image.
docker run ... \
           -v /path/to/ca_bundle/cert.crt:/etc/squashtf/cert.crt \
           -e CURL_CA_BUNDLE=/etc/squashtf/cert.crt \
           ...
docker run ... ^
           -v d:\path\to\ca_bundle\cert.crt:/etc/squashtf/cert.crt ^
           -e CURL_CA_BUNDLE=/etc/squashtf/cert.crt ^
           ...
docker run ... `
           -v d:\path\to\ca_bundle\cert.crt:/etc/squashtf/cert.crt `
           -e CURL_CA_BUNDLE=/etc/squashtf/cert.crt `
           ...

How to obtain a certificate chain file from web browser?

To obtain the certificate chain file of a site you want to connect to, you can use a web browser:

Chrome / Edge

  1. Click on lock icon in the address bar.
  2. Select "Connection is secure" in the pop-up menu, then select "Certificate is valid" (Chrome) or click on certificate icon (Edge).
  3. In Certificate viewer, select "Details", then click "Export…".
  4. Save the certificate file as an encoded certificate chain (Base 64 ASCII).

Firefox

  1. Click on lock icon in the address bar.
  2. Select "Connection secure" in the pop-up menu, then select "More information".
  3. In the pop-up window, select "View certificate".
  4. A new tab opens. Navigate to "Miscellaneous" section and download PEM (chain) file.

What is the expected structure of the certificate file ?

The certificate file may contain one or more of certificates. In all cases, the first line of a certificate must be -----BEGIN CERTIFICATE----- and the last one -----END CERTIFICATE-----:

-----BEGIN CERTIFICATE-----
MIIGNzCCBR+gAwIBAgISBI+KFDQrafK2DRrMrxlY+OzJMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
...
kKsZ2rtL3QPUN+7ByflDjMTnrF0QZdIU70sFWKrOT0Rq0Y26SoS2p3KQzmFlVpza
UZPS19xC8mGhS/o=
-----END CERTIFICATE-----

Squash Orchestrator uses the -----END CERTIFICATE----- string to identify certificates and import them to the keystore. If the import fails, check that this line is present at the end of each certificate in your file.