Create a network for the containers, for example:

Alternatively, use an existing network.

Create a folder (e.g. certs) to store CA system certificates and admin certificate. This folder will be mapped into the /certs folder in the CA container.

By default the CA container will create new certificates. To use existing certificates, store the certificates in the folder as follows:

• server.p12 which contains:

  • ca_signing certificate and key (see Generating CA Signing Certificate)

  • ca_ocsp_signing certificate and key (see Generating OCSP Signing Certificate)

  • sslserver certificate and key (see Generating SSL Server Certificate)

• ca_signing.csr certificate request

• ca_ocsp_signing.csr certificate request

• sslserver.csr certificate request

See also:

• Generating System Certificates

• PKI PKCS12 CLI

Create a folder (e.g. conf) to store Tomcat and CA configuration files. This folder will be mapped into the /conf folder in the CA container.

Create a folder (e.g. logs) to store Tomcat and CA log files. This folder will be mapped into the /logs folder in the CA container.

Run the CA container with the following command:

Wait until the CA service is running:

• Deploying DS on Podman

• Setting up CA Database

To access the CA service remotely, retrieve the ca_signing.crt from the CA container, then install it on the client, for example:

Then the CA service can be accessed using its URL, for example:

• Setting up CA Admin User

To perform administrative operations, retrieve the admin.p12 from the CA container, then install it on the client, for example:

Then use the admin certificate for authentication, for example:

If the CA container is no longer needed, it can be removed with the following command:

• Setting up CA Database User

• Setting up KRA Connector

• Deploying CA Container as Systemd Service