Deploying CA on Podman - dogtagpki/pki GitHub Wiki
Note
|
This page is still under construction. |
This document describes the process to deploy CA container on Podman with PKI 11.6 or later.
Current limitations:
-
Replication is not yet supported (i.e. no scaling)
-
HSM is not yet supported
-
No security domain (i.e. other subsystems need to be set up manually)
-
Long startup time (due to certs import and instance creation)
Create a network for the containers, for example:
$ podman network create example
Alternatively, use an existing network.
Create a folder (e.g. certs
) to store CA system certificates and admin certificate.
This folder will be mapped into the /certs
folder in the CA container.
By default the CA container will create new certificates. To use existing certificates, store the certificates in the folder as follows:
-
server.p12
which contains:-
ca_signing
certificate and key (see Generating CA Signing Certificate) -
ca_ocsp_signing
certificate and key (see Generating OCSP Signing Certificate) -
sslserver
certificate and key (see Generating SSL Server Certificate)
-
-
ca_signing.csr
certificate request -
ca_ocsp_signing.csr
certificate request -
sslserver.csr
certificate request
See also:
Create a folder (e.g. conf
) to store Tomcat and CA configuration files.
This folder will be mapped into the /conf
folder in the CA container.
Create a folder (e.g. logs
) to store Tomcat and CA log files.
This folder will be mapped into the /logs
folder in the CA container.
Run the CA container with the following command:
$ podman run \ --name ca \ --hostname ca.example.com \ --network example \ --network-alias ca.example.com \ -v $PWD/certs:/certs \ -v $PWD/conf:/conf \ -v $PWD/logs:/logs \ -e PKI_DS_URL=ldap://ds.example.com:3389 \ -e PKI_DS_PASSWORD=Secret.123 \ -d \ quay.io/dogtagpki/pki-ca:latest
Wait until the CA service is running:
$ podman logs -f ca
To access the CA service remotely, retrieve the ca_signing.crt
from the CA container, then install it on the client, for example:
$ podman cp ca:/certs/ca_signing.crt ca_signing.crt $ podman cp ca_signing.crt client:ca_signing.crt $ podman exec client pki \ nss-cert-import \ --cert ca_signing.crt \ --trust CT,C,C \ ca_signing
Then the CA service can be accessed using its URL, for example:
$ podman exec client pki -U https://ca.example.com:8443 info Server URL: https://ca.example.com:8443 Server Version: 11.3.0
To perform administrative operations, retrieve the admin.p12
from the CA container, then install it on the client, for example:
$ podman cp ca:/certs/admin.p12 admin.p12 $ podman cp admin.p12 client:admin.p12 $ podman exec client pki \ pkcs12-import \ --pkcs12 admin.p12 \ --password Secret.123
Then use the admin
certificate for authentication, for example:
$ podman exec client pki \ -U https://ca.example.com:8443 \ -n admin \ ca-user-show \ admin
If the CA container is no longer needed, it can be removed with the following command:
$ podman rm -f ca