Custom Java Truststore (Optional)
If your environment requires a custom CA certificate bundle (e.g., self-signed or internal CA), follow these steps to configure a custom Java trust store for CodeTogether Intel.
1. Generate the Java trust store
As an Example, we are using this to configure Keycloak, using a self-signed certificate.
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes \
-subj "/CN=<keycloak_url>"
For a detailed, external walk-through of creating a Java truststore, see: Java Truststore Walkthrough (Oracle Docs)
2. Prepare the cacerts file for the Kubernetes secret
Import into the default JVM cacerts store
2.1. Convert your PEM + key to PKCS#12:
openssl pkcs12 -export \
-in cert.pem \
-inkey key.pem \
-name mycert \
-out keycloak.p12 \
-passout pass:changeit
Defaults to password changeit
2.2. Retrieve the cacerts file
To setup the trusted certificates file for the CodeTogether runtime, you can either use a pre-configured Java-style cacerts file or download the standard cacerts file that CodeTogether ships with. If unsure, download the standard CodeTogether file.
Download the distributed cacerts
${JAVA_HOME}/bin/keytool -importkeystore \
-deststorepass changeit \
-destkeystore ${YOUR_DOWNLOAD_PATH}/cacerts \
-srckeystore keycloak.p12 \
-srcstoretype PKCS12 \
-srcstorepass changeit \
-alias mycert
2.3. Create the Kubernetes secret with the cacerts file
If you are using the default Java cacerts file — including the one provided by CodeTogether — the default password is changeit.
In this case, use the password-protected version of the Kubernetes secret command below.
kubectl create secret generic custom-java-cacerts \
--from-file=cacerts=${YOUR_DOWNLOAD_PATH}/cacerts \
--from-literal=trustStorePassword='changeit' \
--namespace=default
Alternative: Import a public certificate directly (no private key needed)
If your SSO or CA provides a public certificate (.crt or .pem), you can import it directly into your cacerts truststore:
# (Optional) Copy your JVM's default cacerts to your working directory
cp ${YOUR_DOWNLOAD_PATH}/cacerts ./cacerts
# Import your SSO public cert
${JAVA_HOME}/bin/keytool -import \
-file sso.crt \
-alias sso.host \
-keystore ./cacerts \
-storepass changeit \
-trustcacerts \
-noprompt
3. Deployment Options
A. Helm
A.1. Update values.yaml
java:
customCacerts:
enabled: true
cacertsSecretName: custom-java-cacerts
Enable trustAllCerts Flag
You can configure CodeTogether Intel to trust all certificates (e.g. self‑signed or internal CAs) by adding the trustAllCerts flag under codetogether in your values.yaml:
codetogether:
url: https://<server-fqdn>
trustAllCerts: true
A.2. Deploy or upgrade
helm upgrade --install codetogether-intel codetogether/codetogether-intel \
-n default \
-f values.yaml
B. Docker Compose
B.1. Mount the Truststore
In your compose.yaml, add volume to mount the custom cacerts file:
services:
codetogether-intel:
volumes:
- ${YOUR_DOWNLOAD_PATH}/cacerts:/etc/ssl/certs/java/cacerts:ro
B.2. Customize Truststore using CT_JAVA_OPTIONS
Add JVM options by specifying the CT_JAVA_OPTIONS property in your .env file:
CT_JAVA_OPTIONS=-Djavax.net.ssl.trustStore=/etc/ssl/certs/java/cacerts -Djavax.net.ssl.trustStorePassword=changeit
Enable trustAllCerts Flag
You can configure CodeTogether Intel to trust all certificates (e.g. self‑signed or internal CAs), if you are having issues with certificate trust, you can bypass all certificate checks. In your .env:
# Enable “to trust all certificates”
CT_TRUST_ALL_CERTS=true
B.2. Start Containers
Now that the truststore is configured and your reverse proxy is ready for HTTPS, start the containers:
docker-compose up --pull always --wait