Add Self-Signed Certificates for Delegate Connections

Updated 7 months ago by Michael Cretzman

The Harness Delegate makes outbound connections to the resources you set up in Harness as Artifact Servers, Verification Providers, and so on. These platforms typically use public certificates that ship with the OS and Java runtime environments, and so no additional steps are needed.

But if you are using self-signed certificates, you will need to add them to the Delegate.

These certificates are stored in the JRE keystore on the hosts running the Delegate (or truststore for back-end application certificates), and you can import the certificates manually or using a Harness Delegate Profile.

The following profile references a Harness encrypted text secret named ex-cert (${secrets.getValue("ex-cert")}) that contains the certificate, copied into the Harness encrypted text secret using pbcopy. The encrypted text secret is redirected into a new file ca.cer, which is then used in the keytool import command to import the certificate.

Using Explicit Paths

Here is the the self-signed certificate import using explicit paths:

/opt/harness-delegate/jdk8u242-b08-jre/bin/keytool -import -trustcacerts -keystore /opt/harness-delegate/jdk8u242-b08-jre/lib/security/cacerts -storepass changeit -alias -file ca.cer -noprompt


Here is the the self-signed certificate import using the PATH environment variable:

export JAVA_HOME=/opt/harness-delegate/<jdk_version>


Here is the the self-signed certificate import using PATH:

echo ${secrets.getValue("ex-cert")} | base64 -d > ca.cer

keytool -import -trustcacerts -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit -alias -file ca.cer -noprompt

# Depending on the different versions of JDK, the CACERT keystore might reside in different locations.


The default keystore password is used in our example, but if you change the default you can replace the password with a Harness encrypted text secret.

If you create or add to Import a Certificate that already exists in the profile, the import operation will fail and stop. Make sure to add an if block code check to prevent this, as follows:

if [$? -eq 0];
echo "Alias ca.cer already exists"

See Also

How did we do?