Deploying CA on Podman - dogtagpki/pki GitHub Wiki

Overview

Note
This page is still under construction.

This document describes the process to deploy CA container on Podman with PKI 11.6 or later.

Current limitations:

  • Replication is not yet supported (i.e. no scaling)

  • HSM is not yet supported

  • No security domain (i.e. other subsystems need to be set up manually)

  • Long startup time (due to certs import and instance creation)

Creating Network

Create a network for the containers, for example:

$ podman network create example

Alternatively, use an existing network.

Preparing Certificates

Create a folder (e.g. certs) to store CA system certificates and admin certificate. This folder will be mapped into the /certs folder in the CA container.

By default the CA container will create new certificates. To use existing certificates, store the certificates in the folder as follows:

See also:

Preparing Configuration Files

Create a folder (e.g. conf) to store Tomcat and CA configuration files. This folder will be mapped into the /conf folder in the CA container.

Preparing Logs Folder

Create a folder (e.g. logs) to store Tomcat and CA log files. This folder will be mapped into the /logs folder in the CA container.

Deploying CA Container

Run the CA container with the following command:

$ podman run \
    --name ca \
    --hostname ca.example.com \
    --network example \
    --network-alias ca.example.com \
    -v $PWD/certs:/certs \
    -v $PWD/conf:/conf \
    -v $PWD/logs:/logs \
    -e PKI_DS_URL=ldap://ds.example.com:3389 \
    -e PKI_DS_PASSWORD=Secret.123 \
    -d \
    quay.io/dogtagpki/pki-ca:latest

Wait until the CA service is running:

$ podman logs -f ca

Setting up CA Database

Accessing CA Service

To access the CA service remotely, retrieve the ca_signing.crt from the CA container, then install it on the client, for example:

$ podman cp ca:/certs/ca_signing.crt ca_signing.crt
$ podman cp ca_signing.crt client:ca_signing.crt
$ podman exec client pki \
    nss-cert-import \
    --cert ca_signing.crt \
    --trust CT,C,C \
    ca_signing

Then the CA service can be accessed using its URL, for example:

$ podman exec client pki -U https://ca.example.com:8443 info
  Server URL: https://ca.example.com:8443
  Server Version: 11.3.0

Setting up CA Admin User

To perform administrative operations, retrieve the admin.p12 from the CA container, then install it on the client, for example:

$ podman cp ca:/certs/admin.p12 admin.p12
$ podman cp admin.p12 client:admin.p12
$ podman exec client pki \
    pkcs12-import \
    --pkcs12 admin.p12 \
    --password Secret.123

Then use the admin certificate for authentication, for example:

$ podman exec client pki \
    -U https://ca.example.com:8443 \
    -n admin \
    ca-user-show \
    admin

Removing CA Container

If the CA container is no longer needed, it can be removed with the following command:

$ podman rm -f ca

See Also

⚠️ **GitHub.com Fallback** ⚠️