Adding CA Certificates to Docker Images and Containers: Detailed Instructions

If you need to run containerized workloads that rely on internal or custom certificates, such as in environments with corporate proxies or secure services, you must ensure that the containers trust these certificates. Without adding the necessary CA certificates, applications inside your containers may encounter failed requests or security warnings when attempting to connect to HTTPS endpoints. By [adding CA certificates to images](#add-certificates-to-images) at build time, you ensure that any containers started from the image will trust the specified certificates. This is particularly important for applications that require seamless access to internal APIs, databases, or other services during production. In cases where rebuilding the image isn't feasible, you can instead [add certificates to containers](#add-certificates-to-containers) directly. However, certificates added at runtime won’t persist if the container is destroyed or recreated, so this method is typically used for temporary fixes or testing scenarios. ## Add certificates to images > [!NOTE] > The following commands are for an Ubuntu base image. If your build uses a > different Linux distribution, use equivalent commands for package management > (`apt-get`, `update-ca-certificates`, and so on). To add ca certificate to a container image when you're building it, add the following instructions to your Dockerfile. ```dockerfile # Install the ca-certificate package RUN apt-get update && apt-get install -y ca-certificates # Copy the CA certificate from the context to the build container COPY your_certificate.crt /usr/local/share/ca-certificates/ # Update the CA certificates in the container RUN update-ca-certificates ``` ### Add certificates to containers > [!NOTE] > The following commands are for an Ubuntu-based container. If your container > uses a different Linux distribution, use equivalent commands for package > management (`apt-get`, `update-ca-certificates`, and so on). To add a CA certificate to a running Linux container: 1. Download the CA certificate for your MITM proxy software. 2. If the certificate is in a format other than `.crt`, convert it to `.crt` format: ```console {title="Example command"} $ openssl x509 -in cacert.der -inform DER -out myca.crt ``` 3. Copy the certificate into the running container: ```console $ docker cp myca.crt <containerid>:/tmp ``` 4. Attach to the container: ```console $ docker exec -it <containerid> sh ``` 5. Ensure the `ca-certificates` package is installed (required for updating certificates): ```console # apt-get update && apt-get install -y ca-certificates ``` 6. Copy the certificate to the correct location for CA certificates: ```console # cp /tmp/myca.crt /usr/local/share/ca-certificates/root_cert.crt ``` 7. Update the CA certificates: ```console # update-ca-certificates ``` ```plaintext {title="Example output"} Updating certificates in /etc/ssl/certs... rehash: warning: skipping ca-certificates.crt, it does not contain exactly one certificate or CRL 1 added, 0 removed; done. ``` 8. Verify that the container can communicate via the MITM proxy: ```console # curl https://example.com ``` ```plaintext {title="Example output"} <!doctype html> <html> <head> <title>Example Domain</title> ... ```

This section provides detailed instructions on how to add CA certificates to Docker images during build time and to running containers. For images, it shows how to use a Dockerfile to install the `ca-certificates` package, copy the certificate, and update the certificates. For running containers, it outlines the steps to convert the certificate to `.crt` format (if necessary), copy it into the container, install `ca-certificates` (if not already installed), move the certificate to the correct directory, and update the CA certificates using `update-ca-certificates`. It also includes example commands and output for verification.