Nexus OSS in docker + SSL Inspection: Which keystore and how?

We’re running our Nexus OSS in a docker environment as documented.

Our company is doing SSL inspection for security reasons. So, all outgoing HTTPS connections are getting “hijacked” with a 3rd party CA certificate. This is totally nexus repository independant and comes into play when nexus is acting as a maven or docker proxy…

To get a working HTTPS connection from java programs, we need to add the SSL inspection’s CA certificate to the java keystore the JVM is using, typically located here: $JAVA_HOME/lib/security/cacerts

As we run Nexus OSS in docker: How can we achive this? Of course I can login to the running nexus instance in docker and run the keystore update manually… but this is not a permament solution.

Any hints or comments?

Already googled, but did not find any solution. Most search results are about settings up HTTPS for the nexus repos. But this does not help.

Have you tried this document on outbound SSL - Configuring SSL

Yes, and as far as I understood the documentation, this is meant for SSL protection for the repositories as well as SSL protected 3rd party destinations.

But what I need is to install a “CA” (certificate authority) certificate. And as far as I know, this is done by adding it to the JVM keystore. So this is a different use case, as this certificate is not meant for a specific host.

If I would use Nexus on a VM instead of a docker installation, I know what to do. But in case of docker, I need some help from Sonatype/Nexus guys to find a hint on how to permanently install the certificate (or at least install it automatically on each startup).