Skip to content

Deploying Issuer using Docker

Instructions are also available for deploying Issuer on Kubernetes.

Once your settings have been configured in the Venafi Control Plane, it's time to deploy your Issuer using Docker.

Before you begin

You will need a clientID to complete these steps. The clientID is a unique ID tied to the service account you created. When you created your service account, we suggested that you save the clientID in a place you could locate it, so you could use it during this part of the process. If you need help, go back to service accounts for info.

To deploy your Issuer, you need to log in to the Linux machine with the Issuer Docker image and create a configuration file.

  1. Make sure you have the latest Issuer Docker image. Run the following command to be sure.

    docker pull registry.venafi.cloud/public/venafi-images/firefly:v1.8.1

  2. In opt/firefly, create a config.yaml file. Use the following file as a reference, replacing with the correct values for your setup.

    Tip

    If you hover over the code sample, on the right side you will see a code copy button.

    ### Issuer sample config.yaml file for using Docker
###
### Required statements are not commented out.
### Optional sections ARE commented out.
### READ the instructions for each section.
###
### HOW TO USE THIS FILE:
###
### SAVE this file as config.yaml in your Docker container's /opt/Issuer folder

##### GENERAL CONFIGURATION
# REPLACE 'privateKeyFile' value with the path
#    to the private key used to create the
#    service account.
# REPLACE 'clientID' value with the value you
#     copied when you created the service account.
#     See note about 'clientID' at top of page.

bootstrap:
    vaas:
        auth:
            privateKeyFile: /etc/firefly/svc-acct.key
            clientID: fef042a3-567d-4f76-bd6b-7f5d054fb03e
        csr:
            instanceNaming: EC-Issuer

##### SERVER SETTINGS
# You MUST use at least ONE of the three server types,
#     but you can use any combination of API server
#     types that you want Issuer to support.
# REPLACE 'port' with the port used by that service, if different
# REPLACE 'dnsNames' URL value with the name to be
#     put into the server certificate for the Issuer CA.
# REPLACE 'ipAddress' with IP of the API server

server:
#    grpc:
#        port: 8081
#        tls:
#            dnsNames:
#            - firefly.venafi.example
#            ipAddress: 192.168.1.175

#    rest:
#        port: 8281
#        tls:
#            dnsNames:
#            - firefly.venafi.example
#            ipAddress: 172.168.1.175

  3. Review the Venafi End User License Agreement. In the next command, you will be accepting these Terms. By continuing, you agree to these Terms.

  4. From Docker, mount the volume and start Issuer.

    docker run "$(id -u):$(id -g)" -e ACCEPT_TERMS=Y -p 8081:8081 -p 8123:8123 -p 8281:8281 --cap-add=IPC_LOCK \
        -v /opt/firefly/config.yaml:/etc/firefly/config.yaml:ro \
        -v /opt/firefly/svc-acct.key:/etc/firefly/svc-acct.key:ro \
        registry.venafi.cloud/public/venafi-images/firefly:v1.8.1 run -c /etc/firefly/config.yaml

What's next?

That's it! You've configured Issuer and started an Issuer server. As Issuer issues certificates, you will see them on the Issuer Certificates dashboard.