-
Notifications
You must be signed in to change notification settings - Fork 139
Deploying OCSP on Podman
Note
|
This page is still under construction. |
This document describes the process to deploy OCSP container on Podman with PKI 11.6 or later.
Current limitations:
-
Replication is not yet supported (i.e. no scaling)
-
HSM is not yet supported
-
No security domain (i.e. other subsystems need to be set up manually)
-
Long startup time (due to certs import and instance creation)
Create a network for the containers, for example:
$ podman network create example
Alternatively, use an existing network.
To deploy the OCSP container, prepare the following files:
-
server.p12
which contains:-
ca_signing
certificate (see Generating CA Signing Certificate) -
ocsp_signing
certificate and key (see Generating OCSP Signing Certificate) -
audit_signing
certificate and key (see Generating Audit Signing Certificate) -
subsystem
certificate and key (see Generating Subsystem Certificate) -
sslserver
certificate and key (see Generating SSL Server Certificate)
-
-
admin.p12
which contains:-
admin
certificate and key (see Generating Admin Certificate)
-
-
ocsp_signing.csr
certificate request -
audit_signing.csr
certificate request -
subsystem.csr
certificate request -
sslserver.csr
certificate request -
admin.csr
certificate request
Then store the files in a location that will be mapped to the /certs
folder in the OCSP container.
See also:
Run the OCSP container with the following command:
$ podman ocsp \ --name=ocsp \ --hostname=ocsp.example.com \ --network=example \ --network-alias=ocsp.example.com \ -v $PWD/certs:/certs \ -v $PWD/data:/data \ -p 8080:8080 \ -p 8443:8443 \ --privileged \ -d \ quay.io/dogtagpki/pki-ocsp:latest
Wait until the OCSP service is running:
$ podman logs -f ocsp
If the OCSP container is no longer needed, it can be removed with the following command:
$ podman rm -f ocsp
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |