PKI CA Container
From Dogtag
Contents
Overview
This document describes the process to run PKI server in a container. It assumes that the DS Container is already created.
Creating PKI Container
$ docker run \
--name pki \
--hostname pki.example.com \
--privileged \
--tmpfs /tmp \
--tmpfs /run \
--volume /sys/fs/cgroup:/sys/fs/cgroup:ro \
--expose 8080 \
--publish 8080:8080 \
--detach \
fedora:29 "/usr/sbin/init"
$ docker exec pki dnf install -y dnf-plugins-core
$ docker exec pki dnf copr enable -y @pki/master
$ docker exec pki dnf install -y dogtag-pki
Creating PKI Network
$ docker network create pki-network $ docker network connect pki-network ds $ docker network connect pki-network pki
Creating PKI CA Instance
To create PKI CA instance:
$ docker exec pki sh -c 'cat > /tmp/ca.cfg << EOF [DEFAULT] pki_server_database_password=Secret.123 [CA] pki_admin_email=caadmin@example.com pki_admin_name=caadmin pki_admin_nickname=caadmin pki_admin_password=Secret.123 pki_admin_uid=caadmin pki_client_database_password=Secret.123 pki_client_database_purge=False pki_client_pkcs12_password=Secret.123 pki_ds_hostname=ds pki_ds_password=Secret.123 pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com pki_ds_database=ca pki_security_domain_name=EXAMPLE pki_ca_signing_nickname=ca_signing pki_ocsp_signing_nickname=ca_ocsp_signing pki_audit_signing_nickname=ca_audit_signing pki_sslserver_nickname=sslserver pki_subsystem_nickname=subsystem EOF' $ docker exec pki pkispawn -f /tmp/ca.cfg -s CA
Accessing PKI Container
$ pki ca-cert-find
Building PKI Container Image
Create the following Dockerfile:
FROM tomcat:latest CMD ["catalina.sh", "run"]
To build PKI container image:
$ docker build -t pki .
To create PKI container:
$ docker run \
--name pki \
--rm \
-p 8080:8080 \
pki
