wslc trust Windows host Trusted Store certs#40785
Open
yao-msft wants to merge 10 commits into
Open
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds support for mirroring the Windows host’s trusted root CA certificates into the wslc container VM so TLS operations (e.g., pushing to a private registry signed by an enterprise CA) can succeed without manual VM configuration.
Changes:
- Add Windows certificate-store enumeration and install a PEM bundle into the VM during
WSLCSessioninitialization (beforecontainerd/dockerdstart). - Extend WSLC E2E helpers to start a TLS-enabled local registry (bridge networking + cert volume mount).
- Add an end-to-end TLS registry trust test that verifies failure before trust and success after adding the CA to a Windows trusted store.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| test/windows/wslc/e2e/WSLCE2ETlsRegistryTests.cpp | New E2E test that generates a private CA/server cert and validates wslc push behavior before/after trusting the CA. |
| test/windows/wslc/e2e/WSLCE2EHelpers.h | Exposes TestSession::Session() and updates StartLocalRegistry signature to support optional TLS cert directory. |
| test/windows/wslc/e2e/WSLCE2EHelpers.cpp | Adds TLS path for local registry startup (bridge network, cert volume mount, readiness probe). |
| test/windows/CMakeLists.txt | Links Ncrypt.lib for test-only CNG key generation used by the new TLS E2E test. |
| src/windows/wslcsession/WSLCSession.h | Declares InstallTrustedRootCertificates() helper. |
| src/windows/wslcsession/WSLCSession.cpp | Calls InstallTrustedRootCertificates() during session init and implements VM-side PEM bundle installation. |
| src/windows/wslcsession/WindowsCertStore.h | Declares helper to collect host trusted roots as a PEM bundle. |
| src/windows/wslcsession/WindowsCertStore.cpp | Implements trusted-root store enumeration and PEM serialization with deduplication. |
| src/windows/wslcsession/CMakeLists.txt | Adds new WindowsCertStore source/header to the wslcsession target. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary of the Pull Request
Enumerate Windows Trusted Root Store certs, export as a cert bundle and put in the vm /etc/ssl/certs
PR Checklist
Detailed Description of the Pull Request / Additional comments
Validation Steps Performed
Manually validated a custom cert signed registry fails when doing wslc push (unknown authority). After putting the cert in Trusted Root store, wslc push (with fresh session) succeeds. Also added test to validate the same behavior.