Deploying CA on Podman - dogtagpki/pki GitHub Wiki
|
Note
|
This page is still under construction. |
This document describes the process to deploy CA container on Podman with PKI 11.3 or later.
Current limitations:
-
Existing CA configuration files are not yet supported
-
CA replication is not yet supported (i.e. no scaling)
-
HSM is not yet supported
-
No security domain (i.e. other subsystems need to be set up manually)
-
Long startup time (due to certs import and instance creation)
-
DS must be running when the CA container is started
Create a network for the containers, for example:
$ podman network create example
Alternatively, use an existing network.
By default the CA container will create a new system certificates and admin certificate.
To deploy the CA container with existing certificates, prepare the following files:
-
server.p12which contains:-
ca_signingcertificate and key (see Generating CA Signing Certificate) -
ocsp_signingcertificate and key (see Generating OCSP Signing Certificate) -
audit_signingcertificate and key (see Generating Audit Signing Certificate) -
subsystemcertificate and key (see Generating Subsystem Certificate) -
sslservercertificate and key (see Generating SSL Server Certificate)
-
-
admin.p12which contains:-
admincertificate and key (see Generating Admin Certificate)
-
-
ca_signing.csrcertificate request -
ocsp_signing.csrcertificate request -
audit_signing.csrcertificate request -
subsystem.csrcertificate request -
sslserver.csrcertificate request -
admin.csrcertificate request
Then store the files in a location that will be mapped to the /certs folder in the CA container.
See also:
Run the CA container with the following command:
$ podman run \
--name=ca \
--hostname=ca.example.com \
--network=example \
--network-alias=ca.example.com \
-v $PWD/certs:/certs \
-p 8080:8080 \
-p 8443:8443 \
--privileged \
-d \
quay.io/dogtagpki/pki-ca:latest
Wait until the CA service is running:
$ podman logs -f ca
The CA service can be accessed locally using the pki CLI within the CA container itself, for example:
$ podman exec ca pki info Server URL: https://ca.example.com:8443 Server Version: 11.3.0
To perform administrative operations, use the admin certificate for authentication, for example:
$ podman exec ca pki \
-n admin \
ca-user-show \
admin
To access the CA service remotely, retrieve the ca_signing.crt from the CA container, then install it on the client, for example:
$ podman cp ca:/certs/ca_signing.crt ca_signing.crt
$ podman cp ca_signing.crt client:ca_signing.crt
$ podman exec client pki \
nss-cert-import \
--cert ca_signing.crt \
--trust CT,C,C \
ca_signing
Then the CA service can be accessed using its URL, for example:
$ podman exec client pki -U https://ca.example.com:8443 info Server URL: https://ca.example.com:8443 Server Version: 11.3.0
To perform administrative operations, retrieve the admin.p12 from the CA container, then install it on the client, for example:
$ podman cp ca:/certs/admin.p12 admin.p12
$ podman cp admin.p12 client:admin.p12
$ podman exec client pki \
pkcs12-import \
--pkcs12 admin.p12 \
--password Secret.123
Then use the admin certificate for authentication, for example:
$ podman exec client pki \
-U https://ca.example.com:8443 \
-n admin \
ca-user-show \
admin
If the CA container is no longer needed, it can be removed with the following command:
$ podman rm -f ca