Enterprise CA (certificate authority) ​
Overview ​
Many companies implement a MITM (Man-in-the-Middle) firewall as part of a strict and secure network infrastructure using a self-hosted CA (certificate authority).
A custom root CA along with a MITM firewall, also known as an interception or enterprise certificate, is a digital certificate used by network security devices to intercept SSL/TLS-encrypted communication between a user and a server. During interception, data is decrypted and inspected for security and monitoring purposes.
Usage ​
Mounting Certificate Volume ​
To add your company's root CA, all you need to do is mount the certificate (or certificates) to /usr/local/share/ca-certificates/workspace/ path (in the container):
docker run \
-v /path/on-host/ca.crt:/usr/local/share/ca-certificates/workspace/ca.crt \
ghcr.io/kloudkit/workspacedocker run \
-v /folder/on-host:/usr/local/share/ca-certificates/workspace \
ghcr.io/kloudkit/workspaceInstall Certificate from HTTP Endpoint ​
Alternatively, you can add your company's root CA via an HTTP endpoint. Use the WS_EXTRA_CA_CERT_ENDPOINTS environment variable to define one or more (space delimited) endpoints pointing to the desired certificate.
WARNING
If your certificate is hosted on an insecure server you can use the WS_EXTRA_CA_CERT_INSECURE (set to any value) environment variable to ignore security checks.
This may be deemed risky due to the certificate being acquired through an unsecured process that lacks SSL/TLS encryption.
Please make sure that you accept the risk.
docker run \
-e WS_EXTRA_CA_CERT_ENDPOINTS="http://my-company.com/shared-ca.pem" \
ghcr.io/kloudkit/workspacedocker run \
-e WS_EXTRA_CA_CERT_ENDPOINTS="http://my-company.com/shared-1.pem http://other.com/ca.pem" \
ghcr.io/kloudkit/workspaceGenerated Configurations ​
The installed certificates will be detected at startup and bundled along with all other available certificates (into /usr/local/share/ca-certificates/workspace-bundle.crt).
In addition, each zsh session will contain program specific environment variables that require the abovementioned bundles and are set automatically (system-wide):
COMPOSER_CAFILECURL_CA_BUNDLENODE_EXTRA_CA_CERTSPIP_CERTREQUESTS_CA_BUNDLE