PKI CA Container
From Dogtag
Contents
Overview (Work in Progress)
This document describes the process to run PKI server in a container. It assumes that the DS Container is already created.
Creating PKI Container
$ docker run \
--name pki-ca \
--hostname ca.example.com \
--privileged \
--tmpfs /tmp \
--tmpfs /run \
--volume /sys/fs/cgroup:/sys/fs/cgroup:ro \
--expose 8080 \
--publish 8080:8080 \
--detach \
fedora:29 "/usr/sbin/init"
$ docker exec pki-ca dnf install -y dnf-plugins-core
$ docker exec pki-ca dnf copr enable -y @pki/master
$ docker exec pki-ca dnf install -y dogtag-pki
Creating PKI Network
$ docker network create example.com $ docker network connect example.com ds --alias ds.example.com $ docker network connect example.com pki-ca --alias ca.example.com
Creating PKI CA Instance
To create PKI CA instance with pkispawn:
$ docker exec pki-ca sh -c 'cat > /tmp/ca.cfg << EOF [DEFAULT] pki_server_database_password=Secret.123 [CA] pki_admin_email=caadmin@example.com pki_admin_name=caadmin pki_admin_nickname=caadmin pki_admin_password=Secret.123 pki_admin_uid=caadmin pki_client_database_password=Secret.123 pki_client_database_purge=False pki_client_pkcs12_password=Secret.123 pki_ds_hostname=ds.example.com pki_ds_password=Secret.123 pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com pki_ds_database=ca pki_security_domain_name=EXAMPLE pki_ca_signing_nickname=ca_signing pki_ocsp_signing_nickname=ca_ocsp_signing pki_audit_signing_nickname=ca_audit_signing pki_sslserver_nickname=sslserver pki_subsystem_nickname=subsystem EOF' $ docker exec pki-ca pkispawn -f /tmp/ca.cfg -s CA
To create PKI server manually:
$ pki-server create
$ pki-server nss-create --no-password
$ pki -d /var/lib/pki/pki-tomcat/conf/alias \
-f /var/lib/pki/pki-tomcat/conf/password.conf \
nss-cert-request \
--subject "CN=$HOSTNAME" \
--ext /usr/share/pki/ca/certs/sslserver.conf \
--csr /var/lib/pki/pki-tomcat/conf/sslserver.csr
$ pki -d /var/lib/pki/pki-tomcat/conf/alias \
-f /var/lib/pki/pki-tomcat/conf/password.conf \
nss-cert-issue \
--csr /var/lib/pki/pki-tomcat/conf/sslserver.csr \
--ext /usr/share/pki/ca/certs/sslserver.conf \
--cert /var/lib/pki/pki-tomcat/conf/sslserver.crt
$ pki -d /var/lib/pki/pki-tomcat/conf/alias \
-f /var/lib/pki/pki-tomcat/conf/password.conf \
nss-cert-import \
--cert /var/lib/pki/pki-tomcat/conf/sslserver.crt \
sslserver
$ pki-server jss-enable
$ pki-server http-connector-add \
--port 8443 \
--scheme https \
--secure true \
--sslEnabled true \
--sslProtocol SSL \
Secure
$ pki-server http-connector-mod \
--sslImpl org.dogtagpki.tomcat.JSSImplementation \
Secure
$ pki-server http-connector-cert-add \
--keyAlias sslserver \
--keystoreType pkcs11 \
--keystoreProvider Mozilla-JSS
To create PKI CA manually:
$ pki-server ca-create
To configure PKI CA database:
$ pki-server ca-config-set internaldb.ldapconn.host $HOSTNAME $ pki-server ca-config-set internaldb.ldapconn.port 389 $ pki-server ca-config-set internaldb.ldapauth.authtype BasicAuth $ pki-server ca-config-set internaldb.ldapauth.bindDN "cn=Directory Manager" $ pki-server ca-config-set internaldb.ldapauth.bindPassword Secret.123 $ pki-server ca-config-set internaldb.database ca $ pki-server ca-config-set internaldb.basedn "dc=ca,dc=pki,dc=example,dc=com"
To disable CRL:
$ pki-server ca-config-set ca.crl.MasterCRL.enable false
To disable FlatFileAuth:
$ pki-server ca-config-unset auths.impl.FlatFileAuth.class $ pki-server ca-config-unset auths.instance.flatFileAuth.pluginName $ pki-server ca-config-unset auths.instance.flatFileAuth.fileName
To run PKI server:
$ pki-server run
Accessing PKI Container
$ pki ca-cert-find
Building PKI Container Image
Create the following Dockerfile:
FROM tomcat:latest CMD ["catalina.sh", "run"]
To build PKI container image:
$ docker build -t pki .
To create PKI container:
$ docker run \
--name pki \
--rm \
-p 8080:8080 \
pki
