Skip to content
Presswerk Docs

TLS & Certificates

Presswerk runs on HTTP internally. TLS is terminated by a reverse proxy in front of the application.

TLS Termination

Section titled “TLS Termination”

Place a reverse proxy (nginx, Traefik, or Caddy) in front of Presswerk and Keycloak. Both services require HTTPS in production:

  • Application: https://reports.your-domain.comhttp://localhost:8080
  • Keycloak: https://auth.your-domain.comhttp://localhost:8081

See Reverse Proxy for configuration examples.

Custom CA Certificates

Section titled “Custom CA Certificates”

If your organization uses an internal CA (e.g. for LDAP, internal APIs, or database connections), the application container needs to trust it.

Application Container

Section titled “Application Container”

Mount your CA bundle and configure the Java TrustStore:

# docker-compose.yml — app service
volumes:
  - ./certs/internal-ca.crt:/usr/local/share/ca-certificates/internal-ca.crt:ro
environment:
  JAVA_OPTS: >-
    -Djavax.net.ssl.trustStore=/usr/local/share/ca-certificates/truststore.jks
    -Djavax.net.ssl.trustStorePassword=changeit

Alternatively, import the CA certificate into the default Java TrustStore at container startup by adding a custom entrypoint:

entrypoint: >
  sh -c "
    keytool -import -trustcacerts -noprompt
      -alias internal-ca
      -file /usr/local/share/ca-certificates/internal-ca.crt
      -keystore $JAVA_HOME/lib/security/cacerts
      -storepass changeit 2>/dev/null || true;
    exec java -jar /app/app.jar
  "

Keycloak Container

Section titled “Keycloak Container”

Keycloak supports custom certificates via environment variables:

# docker-compose.yml — keycloak service
environment:
  KC_HTTPS_CERTIFICATE_FILE: /opt/keycloak/certs/tls.crt
  KC_HTTPS_CERTIFICATE_KEY_FILE: /opt/keycloak/certs/tls.key
  KC_HTTPS_TRUST_STORE_FILE: /opt/keycloak/certs/truststore.jks
  KC_HTTPS_TRUST_STORE_PASSWORD: changeit
volumes:
  - ./certs:/opt/keycloak/certs:ro

For internal CA trust (e.g. for LDAP federation over TLS):

environment:
  KC_SPI_TRUSTSTORE_FILE_FILE: /opt/keycloak/certs/truststore.jks
  KC_SPI_TRUSTSTORE_FILE_PASSWORD: changeit

Self-Signed Certificates

Section titled “Self-Signed Certificates”

For development or internal-only deployments, you can generate self-signed certificates:

Terminal window
openssl req -x509 -nodes -days 365 \
  -newkey rsa:2048 \
  -keyout certs/tls.key \
  -out certs/tls.crt \
  -subj "/CN=reports.internal.acme.com"

Configure your reverse proxy to use these certificates. Note that browsers will show a security warning for self-signed certificates.

Verifying TLS Configuration

Section titled “Verifying TLS Configuration”
Terminal window
# Check certificate
openssl s_client -connect reports.your-domain.com:443 -servername reports.your-domain.com


# Verify health through TLS
curl -v https://reports.your-domain.com/api/actuator/health