Feature to add custom CA

While integrating endpoint with openID connect using on-premise Keycloak using self-sign certificate.
I keep getting HTTP 401 Unauthorized.
In the logs:
level=warning msg="JWT Invalid: Validation error. Validation error. Failure while contacting the configuration endpoint https://keycloak:9443/auth/realms/my-realm/.well-known/openid-configuration.

[1] First request, please do not swallow the error. I only found out that the cause is actually Get https://keycloak:9443/auth/realms/my-realm/.well-known/openid-configuration: x509: certificate signed by unknown authority after adding some extra debug logs.

[2] To solve no.1 I need feature to allow me to add additional CA to the TLSConfig.
see https://forfuncsake.github.io/post/2017/08/trust-extra-ca-cert-in-go-app/
…/tyk/vendor/github.com/TykTechnologies/openid2go/openid/middleware.go #25 is using http.Get which use http.DefaultClient.Get


You can add this CA to OS trusted storage and Tyk should see it.

Regarding swallowing error, we will definitely take a look on how to handle it better.

1 Like

For anyone else that runs into this, you can add the CA cert and the public key to the trusted cert store by following these directions:

1. Generate a certificate for a root CA using your private key 
Run the command below to generate a root CA cert: 

    openssl req -x509 -new -nodes -key key.pem -sha256 -days 1825 -out myCA.crt   

In the above command, 'key.pem' is your private key.  'myCA.crt' will be the root CA cert output from this command.  When generating the cert, you will be asked to enter a Common Name. Ensure that the common name that you enter aligns with the OpenID issuer configured for the API in Tyk.

2. Mount the root CA certificate 
Copy the root CA cert (myCA.crt) generated in step 1 to “/usr/local/share/ca-certificates/“ on the Gateway instance 

3.  add the public key "cert.pem" to the /etc/ssl/certs directory

4. Update the CA store 
Run the following command on the Gateway instance


You should now be able to use the self-signed certificate as a trusted authority.

Alternatively you can create a custom Dockerfile image based on the Gateway official image:

Or you can use a custom Dockerfile:

FROM tykio/tyk-gateway:v2.9.0

# Replace cert.pem with your public key
COPY ./certs/cert.pem /etc/ssl/certs/cert.pem
# Replace myCA.crt with your root cert.  Note: It is important to keep the .crt extension.
COPY ./certs/myCA.crt /usr/local/share/ca-certificates/myCA.crt

# Replace myCA.crt with the root cert from the previous line
RUN chmod 644 /usr/local/share/ca-certificates/myCA.crt

RUN update-ca-certificates
WORKDIR /opt/tyk-gateway/

ENTRYPOINT ["./entrypoint.sh"]