PKI CA Container

From Dogtag
Revision as of 23:13, 5 May 2020 by Edewata (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Overview

This document describes the process to run PKI server in a container. It assumes that the DS Container is already created.

Creating PKI Container

$ docker run \
    --name pki \
    --hostname pki.example.com \
    --privileged \
    --tmpfs /tmp \
    --tmpfs /run \
    --volume /sys/fs/cgroup:/sys/fs/cgroup:ro \
    --expose 8080 \
    --publish 8080:8080 \
    --detach \
    fedora:29 "/usr/sbin/init"
$ docker exec pki dnf install -y dnf-plugins-core
$ docker exec pki dnf copr enable -y @pki/master
$ docker exec pki dnf install -y dogtag-pki

Creating PKI Network

$ docker network create pki-network
$ docker network connect pki-network ds
$ docker network connect pki-network pki

Creating PKI CA Instance

To create PKI CA instance:

$ docker exec pki sh -c 'cat > /tmp/ca.cfg << EOF
[DEFAULT]
pki_server_database_password=Secret.123

[CA]
pki_admin_email=caadmin@example.com
pki_admin_name=caadmin
pki_admin_nickname=caadmin
pki_admin_password=Secret.123
pki_admin_uid=caadmin

pki_client_database_password=Secret.123
pki_client_database_purge=False
pki_client_pkcs12_password=Secret.123

pki_ds_hostname=ds
pki_ds_password=Secret.123
pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com
pki_ds_database=ca

pki_security_domain_name=EXAMPLE

pki_ca_signing_nickname=ca_signing
pki_ocsp_signing_nickname=ca_ocsp_signing
pki_audit_signing_nickname=ca_audit_signing
pki_sslserver_nickname=sslserver
pki_subsystem_nickname=subsystem
EOF'
$ docker exec pki pkispawn -f /tmp/ca.cfg -s CA

Accessing PKI Container

$ pki ca-cert-find

Building PKI Container Image

Create the following Dockerfile:

FROM tomcat:latest

CMD ["catalina.sh", "run"]

To build PKI container image:

$ docker build -t pki .

To create PKI container:

$ docker run \
    --name pki \
    --rm \
    -p 8080:8080 \
    pki

References