Skip to main content

Custom Java Truststore (Optional)

If your environment requires a custom CA certificate bundle (e.g., self-signed or internal CA), follow these steps to configure a custom Java trust store for CodeTogether Intel.

1. Generate the Java trust store

As an Example, we are using this to configure Keycloak, using a self-signed certificate.

openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes \
  -subj "/CN=<keycloak_url>"
info

For a detailed, external walk-through of creating a Java truststore, see: Java Truststore Walkthrough (Oracle Docs)

2. Prepare the cacerts file for the Kubernetes secret

Import into the default JVM cacerts store

2.1. Convert your PEM + key to PKCS#12:

openssl pkcs12 -export \
  -in cert.pem \
  -inkey key.pem \
  -name mycert \
  -out keycloak.p12 \
  -passout pass:changeit
note

Defaults to password changeit

2.2. Retrieve the cacerts file

To setup the trusted certificates file for the CodeTogether runtime, you can either use a pre-configured Java-style cacerts file or download the standard cacerts file that CodeTogether ships with. If unsure, download the standard CodeTogether file.

info

Download the distributed cacerts

 ${JAVA_HOME}/bin/keytool -importkeystore \
   -deststorepass changeit \
   -destkeystore  ${YOUR_DOWNLOAD_PATH}/cacerts \
   -srckeystore keycloak.p12 \
   -srcstoretype PKCS12 \
   -srcstorepass changeit \
   -alias mycert

2.3. Create the Kubernetes secret with the cacerts file

note

If you are using the default Java cacerts file — including the one provided by CodeTogether — the default password is changeit.
In this case, use the password-protected version of the Kubernetes secret command below.

kubectl create secret generic custom-java-cacerts \
  --from-file=cacerts=${YOUR_DOWNLOAD_PATH}/cacerts \
  --from-literal=trustStorePassword='changeit' \
  --namespace=default

3. Deployment Options

A. Helm

A.1. Update values.yaml

java:
  customCacerts:
    enabled: true
    cacertsSecretName: custom-java-cacerts

A.2. Deploy or upgrade

helm upgrade --install codetogether-intel codetogether/codetogether-intel \
  -n default \
  -f values.yaml

B. Docker Compose

B.1. Mount the truststore and set JVM options

In your compose.yaml, add:

services:
  codetogether-intel:
    volumes:
      - ${YOUR_DOWNLOAD_PATH}/cacerts:/etc/ssl/certs/java/cacerts:ro
    environment:
      - JAVA_OPTS=-Djavax.net.ssl.trustStore=/etc/ssl/certs/java/cacerts -Djavax.net.ssl.trustStorePassword=changeit

B.2. Start Containers

Now that the truststore is configured and your reverse proxy is ready for HTTPS, start the containers:

docker-compose up --pull always --wait