Skip to content

Installing Distributed Issuer using Docker

In this tutorial, you'll use Docker to install Distributed Issuer and connect it to Next-Gen Trust Security, from which it will bootstrap its security settings.

Prerequisites

To install Distributed Issuer, first complete pre-installation in the Next-Gen Trust Security user interface and save your credentials. Then, prepare your environment.

Complete pre-installation

Complete the steps in Getting started with Distributed Issuer, which include creating a CA account and subordinate CA, adding policies, creating a Built-in Account for authentication, and adding a bootstrap configuration.

Save the following credentials:

  • Private key: The private key from your Built-in Account.
  • Client ID: The clientID for your Built-in Account.
  • Tenant Service Group ID: The tsgID for your tenant, from your user profile at bottom left in Next-Gen Trust Security. For example, 1426959155.

Prepare your environment

To install Distributed Issuer, you must have:

  • A Linux server with Docker installed.
  • Outbound access from your cluster to the Next-Gen Trust Security API, so Distributed Issuer can connect for authentication and configuration. See network requirements.

Install using Docker

  1. Pull the latest Distributed Issuer Docker image.

    docker pull registry.ngts.paloaltonetworks.com/distributed-issuer-public/distributed-issuer:v1.11.0

  2. Create a built-in-account.key file containing the private key linked to the Built-in Account you created.

  3. Create a config.yaml file. Replace the placeholder values with your installation details and uncomment at least one server type, gRPC or REST.

    config.yaml
    bootstrap:
  ngts:
    connection:
      inline:
        tsgID: "1426959155" # (1)!

        jwt:
          - file:
              path: /container-mount/built-in-account.key # (2)!
          # Alternately, load the private key from a file:
          # - environmentVariable:
          #     names: ["NGTS_PRIVATE_KEY"]

          - privateKeyJWT:
              clientID: 00000000-0000-0000-0000-000000000000 # (3)!
    csr:
      instanceNaming: Distributed-Issuer

server:
#  grpc:
#    port: 8001
#    tls:
#      dnsNames:
#        - distributed-issuer.example.com
#      ipAddress: 10.20.30.40
#  rest:
#    port: 8002
#    tls:
#      dnsNames:
#        - distributed-issuer.example
#      ipAddress: 10.20.30.40
    1. Tenant Service Group ID for your Next-Gen Trust Security tenant.
    2. Path inside the container to the private key from your Next-Gen Trust Security Built-in Account.
    3. The client ID from your Built-in Account.

  4. If needed, review and agree to the Palo Alto Networks End User License Agreement.

  5. From Docker, mount the volume and start Distributed Issuer.

    • For FIPS, replace distributed-issuer-public/distributed-issuer with distributed-issuer/distributed-issuer-fips.
    docker run -u "$(id -u):$(id -g)" --cap-add=IPC_LOCK \
    -p 8001:8001 -p 8002:8002 \
    -v ./built-in-account.key:/container-mount/built-in-account.key:ro \
    -v ./config.yaml:/container-mount/config.yaml:ro \
    registry.ngts.paloaltonetworks.com/distributed-issuer-public/distributed-issuer:v1.11.0 \
    run -c /container-mount/config.yaml

What's next?

Distributed Issuer is now installed and configured to issue and manage certificates in your environment. Review certificates on the Issuer Certificates page.