How to add a trusted root to Linux
Daniel Nashed – 1 February 2025 11:29:06
The Domino container project is a very flexible way to install Domino.
Many business partners and consultants are using containers for their production environments and for testing.
The container project https://opensource.hcltechsw.com/domino-container/ supports many different distributions because there is no one size fits all.
In addition there might be needs to test software on different Linux distributions.
The container project is a great option to run with different distributions.
In fact you can switch between distributions for the same server very quickly by just applying a different base image.
For a new customer project we are looking into Debian as the host platform for the host OS running Docker and also for the container.
One of the reasons is that in the corporate world you need proxies to access the internet for example to get packet sources to install and update Linux.
But some customers have the need to run their own mirrors to tighter control the software they are building with and to optimize resources.
I recently added custom repository support for Ubuntu which is also supported by providers like Hetzner.
Now I am extending the custom repository support to also Debian 12 for this customer.
But because this is a community project, this will be available for anyone of course.
The customer also has the need to add their trusted root to the container image.
Usually I would recommend to build an own customer standard container image to derive all images from.
This base image would be build on top of the standard base image from the vendor and build the base for all of your Domino or other application container builds.
But I am still adding custom trusted root support to the Domino container project.
You will be able to just specify a trusted root to add to the local Linux trust store.
Like other low level functionality this works differently on different Linux flavors.
Here is what I am adding for SUSE, for Debian/Ubuntu and basically all the other Redhat/RPM based systems (I rested Rocky, Alma & Co so far).
if [ -x /usr/bin/zypper ]; then
cp -f root.pem /usr/share/pki/trust/anchors
update-ca-certificates
elif [ -x /usr/bin/apt-get ]; then
apt install ca-certificates -y
cp -f root.pem /usr/local/share/ca-certificates
update-ca-certificates
else
cp -f root.pem /etc/pki/ca-trust/source/anchors
update-ca-trust
fi
You can test if a certificate is trusted using OpenSSL or Curl
curl -v https://microca.nashcom.org
openssl verify root-pem
root.pem: OK
- Comments [0]
![[HCL Domino]](../lotus-domino.gif){kind=small}
![[Domino on Linux]](../domino-linux.gif){kind=small}
![[Nash!Com]](../nashcom.gif){kind=small}
![[Daniel Nashed]](../daniel-nsh.gif){kind=small}