Installing Distributed Issuer using Docker¶

In this tutorial, you'll use Docker to install Distributed Issuer and connect it to Next-Gen Trust Security (NGTS), from which it will bootstrap its security settings.

Prerequisites¶

To install Distributed Issuer, first complete pre-installation in the NGTS user interface and save your credentials. Then, prepare your environment.

Complete pre-installation¶

Complete the steps in Getting started with Distributed Issuer, which include creating a CA account and subordinate CA, adding policies, creating a Built-in Account for authentication, and adding a bootstrap configuration.

Save the following credentials:

Private key: From your key pair, saved during account creation.
Client ID: From your Built-in Account, for example 00000000-0000-0000-0000-000000000000. On the Built-in Accounts page, click the account name and in the details drawer that appears, copy from the Client ID field.
Tenant Service Group ID: From your Built-in Account, for example 0000000000. On the Built-in Accounts page, copy the Tenant ID from the same area.

Prepare your environment¶

To install Distributed Issuer, you must have:

A Linux server with Docker installed.
Outbound access from your cluster to the NGTS API, so Distributed Issuer can connect for authentication and configuration. See network requirements.

Install using Docker¶

Pull the latest Distributed Issuer Docker image.
- For FIPS, replace distributed-issuer-public with distributed-issuer-fips and authenticate to the private registry.
```
docker pull registry.ngts.paloaltonetworks.com/distributed-issuer-public/distributed-issuer:v1.12.0
```
Create a built-in-account.key file containing the private key linked to the Built-in Account you created.

Create a config.yaml file. Replace the placeholder values with your installation details and uncomment at least one server type, gRPC or REST.

config.yaml

bootstrap:
  ngts:
    connection:
      inline:
        tsgID: "1426959155" # (1)!

        jwt:
          - file:
              path: /container-mount/built-in-account.key # (2)!
          # Alternately, load the private key from a file:
          # - environmentVariable:
          #     names: ["NGTS_PRIVATE_KEY"]

          - privateKeyJWT:
              clientID: 00000000-0000-0000-0000-000000000000 # (3)!
    csr:
      instanceNaming: Distributed-Issuer

server:
#  grpc:
#    port: 8001
#    tls:
#      dnsNames:
#        - distributed-issuer.example.com
#      ipAddress: 10.20.30.40
#  rest:
#    port: 8002
#    tls:
#      dnsNames:
#        - distributed-issuer.example
#      ipAddress: 10.20.30.40

Tenant Service Group ID for your NGTS tenant.
Path inside the container to the private key from your NGTS Built-in Account.
The client ID from your Built-in Account.

If needed, review and agree to the Palo Alto Networks End User License Agreement.

From Docker, mount the volume and start Distributed Issuer.

For FIPS, replace distributed-issuer-public/distributed-issuer with distributed-issuer/distributed-issuer-fips.

docker run -u "$(id -u):$(id -g)" --cap-add=IPC_LOCK \
    -p 8001:8001 -p 8002:8002 \
    -v ./built-in-account.key:/container-mount/built-in-account.key:ro \
    -v ./config.yaml:/container-mount/config.yaml:ro \
    registry.ngts.paloaltonetworks.com/distributed-issuer-public/distributed-issuer:v1.12.0 \
    run -c /container-mount/config.yaml

What's next?¶

Distributed Issuer is now installed and configured to issue and manage certificates in your environment. Review certificates on the Issuer Certificates page.