Import certificate for a new registry through the Graphical Interface

[luizmalere]

UX Description

When configuring a new registry, it's desirable to import a new certificate using the same screen that currently has the URL for the new registry, beside with username and password.

The screen would support a .crt file, either imported with a button or drag and drop.

Today, it's necessary to connect to the podman machine and perform manual steps to import the registry certificate: https://podman-desktop.io/docs/podman/adding-certificates-to-a-podman-machine.

Request type

UX analysis/suggestions for improvement

Primary Contact

luiz.malere at gmail lmalere at redhat

Deadline for request

End of the year 2024

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had activity in the last 6 months. It will be closed in 30 days if no further activity occurs. Please feel free to leave a comment if you believe the issue is still relevant. Thank you for your contributions!

[github-actions[bot]]

This issue has been automatically closed because it has not had any further activity in the last 30 days. Thank you for your contributions!

[slemeur]

I think this has to be considered! thanks for reporting @luizmalere

[gastoner]

Hello, based on the discussion with @cdrage and @Firewall this would be possible only on Windows and Mac (on Linux Podman is native so we would be modifying our own system). There is an podman machine cp command that we could use for this / or go through steps in the docs.

Personaly I would move adding the certs from "Registries" e.g. to "Resources" under "More options" as new tab to podman machine connection since we can have multiple machines on each machine.

My question is:

1. What about allowing copying not just certs but any files - would this be useful at all ?
2. the podman machine cp allows to use podman machine as source too, we can allow copying from machine -> local computer if there would be any usage for this
3. We can either copy just the cert like in https://podman-desktop.io/docs/podman/adding-certificates-to-a-podman-machine (podman machine ssh / podman machine cp) or we can do something similar that docker does https://docs.docker.com/engine/security/certificates/ ?

@MariaLeonova would be possible to create some basic mockup for this? @benoitf can you PTAL?

[MariaLeonova]

would be possible to create some basic mockup for this?

Absolutely! Give me a couple days, I'll allocate some time for it, @gastoner .

[MariaLeonova]

@gastoner I have a couple of clarifying questions:

• does the user need to add a certificate every time they are adding a registry?
• what is the purpose of adding a certificate at this point?
• if they add a certificate while adding a registry, it will still need to be added to a podman machine?
• if the user already has some certificates added, can they use them at this point, too?
• what are the technical considerations around adding certificates in this window directly (as a .crt file)?

Answers to these will help determine the flow.

[gastoner]

does the user need to add a certificate every time they are adding a registry?

I don't think so, rn we are not doing this at all but for some custom registries user might want to add some certs in order to improve security and trust

what is the purpose of adding a certificate at this point?

Improve trust in the registry (integrity, trust, encryption?)

if they add a certificate while adding a registry, it will still need to be added to a podman machine?

I understand it that way that cert should be added to podman machine -> this machine will have an cert that it can use for accessing registries

if the user already has some certificates added, can they use them at this point, too?

I think it should be done by design after running update-ca-certificates this should update the certs in machine and it should be used automatically in order to verify the registry

what are the technical considerations around adding certificates in this window directly (as a .crt file)?

I think we should support .crt, .cer and .pem extensions? So maybe some file select enabling those extensions + some input form where to copy files/ hardcoded path (/usr/local/share/ca-certificates) if only for certs?

I feel like this dialog or so should be in resources rather than in Registries. Lets say you have 2+ machines on your laptop, into which one will it copy to? So, having it in Resources feels more natural?

[MariaLeonova]

Thank you for answering! So currently I don't see any way to bring in the certificates through the UI. I would suggest the following ( and I think both can co-exist):

1. add an optional field to the Add Registry dialogue

2. add a way to bring certificates as a file on machine configuration in resources / on a higher level if that makes sense.

If the registry has an insecure certificate, you should see an "Invalid Certificate" warning window pop up. - do you please have an example?

[gastoner]

[MariaLeonova]

We discussed this in a meeting and agreed to make wireframes for how it can potentially be addressed. It would also be helpful to know if there's analytics on certificate usage in Podman Desktop, i.e how many users have them set up.

[vancura]

I'll look into analytics ASAP.

What we could do here (based on our conversation on Monday):

1. Certificate Manager, used for managing certificates:

• List the uploaded certificates (with their fingerprints)
• Upload a new certificate
• Remove an existing certificate
• The dialog can be loosely based on the Fork (Git client) SSH key management window:

2. The dialog would use the expand/collapse chevron, hiding (by default) the advanced settings:

• Certificate dropdown (showing the list of certificates, disabled when there's no certificate yet
• Manage Certificates button (or a link) that would open the Certificate Manager.
• There's no way to add (or remove) a certificate in the dialog; that's what the Certificate Manager is for.

If I've forgotten anything, @MariaLeonova and @gastoner, please let me know!

[gastoner]

I'll look into analytics ASAP.

What we could do here (based on our conversation on Monday):

1. Certificate Manager, used for managing certificates:

* List the uploaded certificates (with their fingerprints)

* Upload a new certificate

* Remove an existing certificate

* The dialog can be loosely based on the Fork (Git client) SSH key management window:

## 2. The dialog would use the expand/collapse chevron, hiding (by default) the advanced settings:

* Certificate dropdown (showing the list of certificates, disabled when there's no certificate yet

* `Manage Certificates` button (or a link) that would open the Certificate Manager.

* There's no way to add (or remove) a certificate in the dialog; that's what the Certificate Manager is for.

If I've forgotten anything, @MariaLeonova and @gastoner, please let me know!

I think that we would like to add some very simple dialog for adding/removing the certs, like in 1. However I think that we want to be able to open it from an additional button next to the add registry since we might want to just add/remove certs and not to do anything with registries. I think If there were only an option to open the manager using add registry button, that would not be very intuitive

[vancura]

Is this scheduled for this sprint? If so, we should discuss it during the UX call tomorrow, August 6, 2025.

[MariaLeonova]

@vancura this issue is in the current sprint, and UX call is on August 7th, we can talk about it then.

[MariaLeonova]

I created some wireframes for us to review at the checkin:

[gastoner]

AFAIK: The certs should be added to given podman machine. Since the podman machine is pulling some image and it uses the cert for auth, verifying, etc to given registry.

Example I have 2 podman machines:

1. With cert
2. Without cert

First machine is trying to pull foo image from registry bar (✔️ I'm validated no problem) Can also happen that this cert is also used for another registry so I'm also able to use this cert with another registry ✔️

Second machine is trying to pull foo image from registry bar (fails, does not have access/ is not validated => cant pull the image ❌ )

[MariaLeonova]

Adding a Figma file: Designs will be here / not ready for review yet

[MariaLeonova]

[gastoner]

@MariaLeonova personally I would keep the add registry dialog unchanged. Someone correct me if I'm wrong please. AFAIK the certs are added into the machines, you don't need to specify which registry it is for, because it can be for all or none registry

But I would add the manage certs button like the 1

this would open new screen/dialog where would be the dropdown with selection of Podman machine and the list of certs in the machine. there would be also an add button for adding new certs into the machine (can be new dialog probably like in here: but only last two options

[MariaLeonova]

@Firewall I am adding the screens for the flow @gastoner and I have been discussing:

1. manage certificates button from Registries

2. manage certificates option from machines

3. both those Manage certificates options would open a table listing several added certificates (here is one certificate for example), with a way to select a machine. This table could exist in resources:

4. way to add new certificates: specify the machine and upload a file

[Firewall]

@MariaLeonova Looking great so far. A few comments on the steps but nothing major.

Step 1.

• Makes sense to add it here. Not sure about the icon? Doesn't really signal certificates to me. Do we have any other options?

Step 2.

• Good idea to add it there too

Step 3.

• We need to establish the "picking a machine" as a pattern. I don't mind if its in the top right, but in other issues we are placing it in another place. We should stick to 1.
• Also in the case where there is only 1 machines (like the screenshot) don't show a picker, its just confusing. You can't select anything else anyway.

Step 4.

• After you add your certificate the update-ca-trust command needs to be ran. We should cover the error case when that fails.

[MariaLeonova]

Do we have any other options?

Not at the moment, but I can make some suggestions.

"picking a machine" as a pattern

This one is coming from Quadlets. For when there's only one machine, we could show just that information; without the dropdown?

We should cover the error case when that fails.

What would the user be able to do in that case? How can they troubleshoot?

[MariaLeonova]

After multiple discussions, here's the latest proposal:

• add a Certificates menu item in settings as a separate page
• the list of certificates will be represented as a table, listing certificate name, issuer, serial number, expiration date and status (active expiring, expired)
• add ways to access it from Registries and from Machine UI
• the list will show user's certificates that will synchronize with a particular machine
• if the user has >1 machine, which is the minority of cases, the Synchronize button will become a split button and offer a choice of 2 (or more?) machines, with default machine selected by default.

• in case of a sync error, an error message will be shown underneath the button. We need to define what it would say exactly.

[gastoner]

I'm not sure If we have this Synchronize component in PD, I would rather use 2 dedicated components that we already have, classic dropdown and button and not force to connect them together

[MariaLeonova]

I'm not sure If we have this Synchronize component in PD, I would rather use 2 dedicated components that we already have, classic dropdown and button and not force to connect them together

@gastoner if this can't be done, we can follow the quadlets UI pattern. I do remember it was part of the Experimental feedback modal proposal.

[gastoner]

Thats true, I've forgot this component :D

[MariaLeonova]

@Firewall please review the latest proposal.

[Firewall]

@MariaLeonova

The new settings page totally makes sense. and the flow will help for when users want to do a manual sync. I am thinking we are missing a bit of information where these certifactes are coming from.

• Can we add a subtitle. "Manage host-based certificates in Podman Desktop with automatic synchronization to your Podman Machine."
• We shoud remove the multi select and the delete buttons.
  1. Deleting these certs can be quite damaging to the system. I think its a dangarous area for us to touch.
  2. In an organization, the file will be placed on your laptop and you won't be able to delete it anyway.

What we discussed during the UX call is that we could also do this sync "automatically" for the user all the time. That way for most users, it will "just work" because their certificates are automatically available on their podman machines. To support that feature we should have another button/toggle to "Enable/Disable automatic sync"

[MariaLeonova]

@Firewall thanks! Here's the screen with all your requested changes. I followed the patter for switcher that we are already using in Settings, so it's consistent with everything else:

[Firewall]

@MariaLeonova Excellent! Just a tiny copy update otherwise it will be confusing if the it's disabled.

Title: Sync certificates -> Synchronize certificates Body: Certificates will be automatically synced to your default machine -> Automatically synchronize certificates to all Podman machines