Custom SSL certificates for JDK

mvb · May 29, 2024, 2:05pm

@raboof thanks for your answer. Unfortunately I can’t give you much of a response, as I’m really new to this ecosystem (Android, actually) and really don’t know what’s what, yet. I’m really just trying to follow the onboarding steps and adapt them to NixOS. I don’t know what these certificates will be used for.

I’ll keep your answer in mind though. Maybe it’ll become clearer in the coming weeks

mvb · May 29, 2024, 2:06pm

Anyway, I seem to have found a solution using a very different approach, which seems to also work for the oracle jdks (not sure any of the other advice here would). Please feel free to have a look and comment on that: Altering package (oraclejdk11) installation fails - #2 by mvb

BeepDog · July 26, 2024, 3:32am

I have just discovered this today, sorry for necro-thread! I also need to add a custom root certificate to my JDK so that Keycloak can communicate with LDAP over SSL.

Sadly, it doesn’t work if I have stuff in a flake. I end up with a failure:

building the system configuration...
error:
       … while calling the 'head' builtin

         at /nix/store/lzhqf5y9dcgfkg5f7f96jjc814pgrsqy-source/lib/attrsets.nix:1575:11:

         1574|         || pred here (elemAt values 1) (head values) then
         1575|           head values
             |           ^
         1576|         else

       … while evaluating the attribute 'value'

         at /nix/store/lzhqf5y9dcgfkg5f7f96jjc814pgrsqy-source/lib/modules.nix:809:9:

          808|     in warnDeprecation opt //
          809|       { value = builtins.addErrorContext "while evaluating the option `${showOption loc}':" value;
             |         ^
          810|         inherit (res.defsFinal') highestPrio;

       (stack trace truncated; use '--show-trace' to show the full trace)

       error: attribute 'system' missing

       at /nix/store/lzhqf5y9dcgfkg5f7f96jjc814pgrsqy-source/lib/modules.nix:508:28:

          507|         builtins.addErrorContext (context name)
          508|           (args.${name} or config._module.args.${name})
             |                            ^
          509|       ) (lib.functionArgs f);

my flake code is here, and commented out at the moment, because the flake cannot build: nixos-configuration/hosts/common/default.nix at main - kowis-projects/nixos-configuration - Kowis Software Forge

Thanks in advance for any advice. I don’t yet know enough about nix to figure this one out on my own.

jens-hj · June 18, 2025, 11:39am

I end up in the situation where the trust is empty, just like @con-f-use is saying. I noticed @philipp later providing a similar snipped, but with config.environment.etc."ssl/certs/ca-certificates.crt".source instead of config.environment.etc."ssl/certs/ca-bundle.crt".source, and I am wondering why this difference? I am also confused about what config.environment.etc means but I am guessing this is pointing to the /etc/…/truststore where the default truststore is located, in order to extract it to a different location?

I also don’t understand how putting it in a different location will work, I have two .cer files I need to include in the truststore, when are those taken into account?