Self-signed certificates
StackState Self-hosted
Last updated
StackState Self-hosted
Last updated
StackState has several points of interaction with external systems. For example, event handlers can call out to webhooks in other systems. With the default configuration, StackState won't be able to communicate with these systems if they're secured with TLS using a self-signed certificate, or a certificate that isn't by default trusted by the JVM.
To mitigate this, StackState allows configuration of a custom trust store.
You need to have the custom TLS certificate available. If you don't have that, you will need to .
Use the keytool tool and the cacerts
file included in the JVM (Java Virtual Machine) installation to convert an existing TLS certificate file to the format needed by StackState. You can run this on any machine, regardless of the type of operating system.
If you don't have the JVM installed on your computer, you can also instead.
With the JVM installed on your computer and the certificate saved as a file site.cert
, you can create a new trust store by taking the JVM's trust store and adding the extra certificate.
Create a working directory workdir
and copy the certificate file site.cert
to this directory.
Change directory to the workdir
and make a copy of the cacerts
file from your Java installation. $JAVA_HOME
is an environment variable that contains the location of your Java installation. This is normally set when installing Java.
Run the following keytool command to add the certificate. The required password is changeit
. The alias needs to be a unique alias for the certificate, for example the domain name itself without any dots.
The custom_cacerts
store file will now include the site.cert
certificate. You can verify that by searching for the alias in the output of
If you don't have JVM installed on your computer, you can use a JVM Docker image. The certificate should be retrieved and saved as a file site.cert
.
Create a working directory workdir
and copy the certificate file site.cert
to this directory.
Start the Java Docker container with the workdir
mounted as a volume so it can be accessed:
Change directory to the workdir
and make a copy of the cacerts
file:
Run the following keytool command to add the certificate. The required password is changeit
. The alias needs to be a unique alias for the certificate, for example the domain name itself without any dots.
The custom_cacerts
store file will now include the site.cert
certificate. You can verify that by searching for the alias in the output of
The trust store and the password can be specified as values. The trust store can only be specified from the helm command line as it's a file. The password value is specified in the same way in the example, but it can also be provided via a values.yaml
file.
If needed, the Java trust store can also be configured by passing Base64 encoded strings into Helm values.
To use a base64 encoded trust store, run the following helm upgrade
command:
The certificate can be directly downloaded from the Chrome browser. The steps involved may vary slightly depending on the version you are using:
Navigate to the URL you need the certificate from.
Click the padlock icon in the location bar.
Click on Certificate.
Select Details.
Select Export.
Save using the default export file type (Base64 ASCII encoded).