Add Self-Signed Certificates for Delegate Connections

Updated 1 month ago by Michael Cretzman

The Harness Delegate makes outbound connections to the resources you set up in Harness as Artifact Servers, Verification Providers, and so on. These platforms typically use public certificates that ship with the OS and Java runtime environments, and so no additional steps are needed.

But if you are using self-signed certificates, you will need to add them to the Delegate.

These certificates are stored in the JRE keystore on the hosts running the Delegate (or truststore for back-end application certificates), and you can import the certificates manually or using a Harness Delegate Profile.

The following profile references a Harness encrypted text secret named ex-cert (${secrets.getValue("ex-cert")}) that contains the certificate, copied into the Harness encrypted text secret using pbcopy. The encrypted text secret is redirected into a new file ca.cer, which is then used in the keytool import command to import the certificate.

The keytool commands will not work unless Java is set in the PATH environment variable (set PATH=${PATH}:/home/opt/<jdk_version>/bin).
echo ${secrets.getValue("ex-cert")} | base64 -d > ca.cer

keytool -import -trustcacerts -keystore $java_home/lib/security/cacerts -storepass changeit -alias example.com -file ca.cer -noprompt

# Depending on the different versions of JDK, the CACERT keystore might reside in different locations.

The default keystore password is used in our example, but if you change the default you can replace the password with a Harness encrypted text secret.

If you create or add to Import a Certificate that already exists in the profile, the import operation will fail and stop. Make sure to add an if block code check to prevent this, as follows:

if [$? -eq 0];
then
echo "Alias ca.cer already exists"
else

See Also


How did we do?