Skip to content

docs: document importing an internal CA into the installed JDK (cacerts)#1051

Merged
brunoborges merged 1 commit into
mainfrom
docs/jdk-cacerts-keytool
Jun 23, 2026
Merged

docs: document importing an internal CA into the installed JDK (cacerts)#1051
brunoborges merged 1 commit into
mainfrom
docs/jdk-cacerts-keytool

Conversation

@brunoborges

@brunoborges brunoborges commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

What

Follow-up to #1050. Adds a "Trusting an internal CA inside the installed JDK" subsection to the self-signed certificate / internal CA docs in docs/advanced-usage.md.

Why

#1050 documented the download/transport layer (making the runner trust the CA via NODE_EXTRA_CA_CERTS so the JDK can be downloaded). That's separate from the JDK runtime layer: once installed, the java runtime has its own cacerts keystore, and builds that call internal HTTPS endpoints fail with:

PKIX path building failed: unable to find valid certification path to requested target

This subsection closes that gap.

What it covers

  • Why the JDK has its own trust store ($JAVA_HOME/lib/security/cacerts), independent of the OS/Node trust stores.
  • A keytool -importcert example that runs after actions/setup-java (so JAVA_HOME points at the freshly installed JDK).
  • Caveats: default changeit keystore password, hosted vs self-hosted persistence, idempotent aliasing.
  • Notes there is no dedicated action input for a custom cacerts file — the post-install step covers it.

Notes

  • Docs-only; no source or dist/ changes.
  • prettier --check passes.

Closes #1035

@brunoborges
docs: add post-install keytool import for the JDK cacerts trust store
cbbbb77 
Document how to make the installed JDK trust an internal CA at application
runtime by importing it into $JAVA_HOME/lib/security/cacerts with keytool
after setup-java runs. Clarifies this is the runtime trust layer, distinct
from the download/transport layer (NODE_EXTRA_CA_CERTS), and notes hosted vs
self-hosted persistence caveats.

Refs #640 #1035

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@brunoborges brunoborges requested a review from a team as a code owner June 23, 2026 01:57
Copilot AI review requested due to automatic review settings June 23, 2026 01:57
@brunoborges brunoborges mentioned this pull request Jun 23, 2026
Closed
@brunoborges brunoborges merged commit 668c1ea into main Jun 23, 2026
4 checks passed
@brunoborges brunoborges deleted the docs/jdk-cacerts-keytool branch June 23, 2026 01:59
Copilot AI reviewed Jun 23, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates docs/advanced-usage.md to document how to trust an internal/self-signed CA inside the installed JDK (the cacerts trust store) after actions/setup-java has completed, addressing runtime TLS failures (e.g., PKIX path building errors) that are distinct from download-time TLS issues covered previously.

Changes:

  • Adds a new “Trusting an internal CA inside the installed JDK” subsection under the existing self-signed/internal CA documentation.
  • Provides a post-install keytool -importcert workflow example targeting $JAVA_HOME/lib/security/cacerts.
  • Adds caveats about cacerts password, hosted vs self-hosted persistence, and alias/idempotency behavior.
Show a summary per file
File Description
docs/advanced-usage.md Adds guidance and an example for importing an internal CA into the installed JDK’s cacerts trust store after setup-java.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 1/1 changed files
  • Comments generated: 1

Comment thread docs/advanced-usage.md
- The default keystore password for `cacerts` is `changeit` unless your distribution overrides it.
- On **hosted runners** the change applies only to the current job's JDK and is discarded when the job ends, so include the import step in every job that needs it.
- On **self-hosted runners**, importing into a tool-cache JDK persists for as long as that cached version remains on the runner; if you want it to survive JDK reinstalls, pre-seed the CA into your runner image or re-run the import step each time.
- Prefer giving the certificate a stable, descriptive `-alias` so re-runs are idempotent (re-importing the same alias will fail; add `keytool -delete -alias internal-ca ...` first if you re-run within a long-lived runner).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support optional custom cacerts input for installed JDK

2 participants

@brunoborges