Search code examples
openshiftibm-mqredhat-containers

How to install x509 certificate to the Personal store Current User in Openshift4 Pod?

I need to install the certificate to the personal store of CurrentUser in openshift4 pod. When I run the below code, it throws the error.

private static void InstallCertificate(string cerFileName, string friendlyName)
        {
            X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
            store.Open(OpenFlags.ReadOnly);
            try
            {
                X509Certificate2 certificate = new X509Certificate2(cerFileName, "<<CertificatePassword>>");
                if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows) && !string.IsNullOrEmpty(friendlyName))
                {
                    certificate.FriendlyName = friendlyName;
                }
                store.Open(OpenFlags.ReadWrite);
                store.Add(certificate);
            }
            catch (Exception ex)
            {
                Console.WriteLine($"Error in adding cert: {ex.Message}");
            }
            store.Close();
        }

Code is in a .NET 6 console application. This certificate will be used for SSL authentication required for connecting to MQ from OCP4 pod.

Error Message: The X509 certificate could not be added to the store. Error:

System.Security.Cryptography.CryptographicException: The X509 certificate could not be added to the store.
 ---> System.UnauthorizedAccessException: Access to the path '/.dotnet/corefx/cryptography/x509stores/my' is denied.
 ---> System.IO.IOException: Permission denied
   --- End of inner exception stack trace ---
   at System.IO.FileSystem.CreateDirectory(String fullPath)
   at System.IO.Directory.CreateDirectory(String path)
   at Internal.Cryptography.Pal.DirectoryBasedStoreProvider.AddCertToStore(ICertificatePal certPal)
   at Internal.Cryptography.Pal.DirectoryBasedStoreProvider.Add(ICertificatePal certPal)
   --- End of inner exception stack trace ---
   at Internal.Cryptography.Pal.DirectoryBasedStoreProvider.Add(ICertificatePal certPal)
   at System.Security.Cryptography.X509Certificates.X509Store.Add(X509Certificate2 certificate)
Solution

  • I was able to resolve the issue using the below steps:

    1. Added the command to create the .dotnet folder only in the dockerfile. (This created the folder .dotnet in the root directory.)
    RUN mkdir /.dotnet
    1. Added the below command to provide the permission to root group for the .dotnet folder
    RUN chgrp -R 0 /.dotnet && \
    chmod -R g=u /.dotnet

    By default the container started in OpenShift gets a random user ID. Therefore images not designed to handle such a random UID will fail with permission errors. Adding the given command to the Dockerfile sets the directory and file permissions to allow users in the root group to access them in the built image. Because the container user is always a member of the root group, the container user can read and write these files. The root group does not have any special permissions (unlike the root user) so there are no security concerns with this arrangement.

    1. After adding the above two commands in the dockerfile, the code ran without any issues.

    I have collated all the steps that might help others!