Deploying CA Container

Overview

Note	This page is still under construction.

This document describes the process to deploy CA container with PKI 11.3 or later.

Creating Network

Create a network for the containers, for example:

$ podman network create example

Alternatively, use an existing network.

Generating System Certificates

By default the CA container will create a new system certificates and admin certificate.

To deploy the CA container with existing certificates, prepare the following files:

• server.p12 which contains:

  • ca_signing certificate and key (see Generating CA Signing Certificate)

  • ocsp_signing certificate and key (see Generating OCSP Signing Certificate)

  • audit_signing certificate and key (see Generating Audit Signing Certificate)

  • subsystem certificate and key (see Generating Subsystem Certificate)

  • sslserver certificate and key (see Generating SSL Server Certificate)

• admin.p12 which contains:

  • admin certificate and key (see Generating Admin Certificate)

• ca_signing.csr certificate request

• ocsp_signing.csr certificate request

• audit_signing.csr certificate request

• subsystem.csr certificate request

• sslserver.csr certificate request

• admin.csr certificate request

Then store the files in a location that will be mapped to the /certs folder in the CA container.

See also:

• Generating System Certificates

• PKI PKCS12 CLI

Preparing CA Database

• Setting up CA Database

• Setting up CA Database User

• Setting up CA Admin User

Deploying CA Container

Run the CA container with the following command:

$ podman run \
    --name=ca \
    --hostname=ca.example.com \
    --network=example \
    --network-alias=ca.example.com \
    -v $PWD/certs:/certs \
    -p 8080:8080 \
    -p 8443:8443 \
    --privileged \
    -d \
    quay.io/dogtagpki/pki-ca:latest

Wait until the CA service is running:

$ podman logs -f ca

Accessing CA Service

Local access

The CA service can be accessed locally using the pki CLI within the CA container itself, for example:

$ podman exec ca pki info
  Server URL: https://ca.example.com:8443
  Server Version: 11.3.0

To perform administrative operations, use the admin certificate for authentication, for example:

$ podman exec ca pki \
    -n admin \
    ca-user-show \
    admin

Remote access

To access the CA service remotely, retrieve the ca_signing.crt from the CA container, then install it on the client, for example:

$ podman cp ca:/certs/ca_signing.crt ca_signing.crt
$ podman cp ca_signing.crt client:ca_signing.crt
$ podman exec client pki \
    nss-cert-import \
    --cert ca_signing.crt \
    --trust CT,C,C \
    ca_signing

Then the CA service can be accessed using its URL, for example:

$ podman exec client pki -U https://ca.example.com:8443 info
  Server URL: https://ca.example.com:8443
  Server Version: 11.3.0

To perform administrative operations, retrieve the admin.p12 from the CA container, then install it on the client, for example:

$ podman cp ca:/certs/admin.p12 admin.p12
$ podman cp admin.p12 client:admin.p12
$ podman exec client pki \
    pkcs12-import \
    --pkcs12 admin.p12 \
    --password Secret.123

Then use the admin certificate for authentication, for example:

$ podman exec client pki \
    -U https://ca.example.com:8443 \
    -n admin \
    ca-user-show \
    admin

Removing CA Container

If the CA container is no longer needed, it can be removed with the following command:

$ podman rm -f ca