Guia Completo: Implantando Dogtag PKI para o X-Road com Docker Compose

Este guia cobre passo a passo a criação de uma infraestrutura de Certificação baseada em Dogtag PKI (CA + OCSP + TSA + CRL) usando Docker Compose no Ubuntu 22.04 ou 24.04.

---

✅ Requisitos do sistema

• Ubuntu Server 22.04 LTS ou 24.04 LTS
• Docker
• Docker Compose v2
• Acesso root ou sudo

1. Instale dependências

sudo apt update && sudo apt upgrade -y
sudo apt install -y git curl docker.io docker-compose unzip tree
sudo systemctl enable docker --now

---

📁 2. Estrutura de pastas

mkdir -p ~/xroad-pki-docker/{pki-ca,pki-ocsp,pki-tsa,crl}
cd ~/xroad-pki-docker

---

📄 3. Arquivo docker-compose.yml

Crie ~/xroad-pki-docker/docker-compose.yml com o conteúdo:

version: '3.8'

services:

  pki-ca:
    build: ./pki-ca
    container_name: xroad-pki-ca
    hostname: ca.xroad.local
    ports:
      - "8080:8080"
      - "8443:8443"
    networks:
      - pki

  pki-ocsp:
    build: ./pki-ocsp
    container_name: xroad-pki-ocsp
    hostname: ocsp.xroad.local
    ports:
      - "8180:8080"
      - "8543:8443"
    depends_on:
      - pki-ca
    networks:
      - pki

  pki-tsa:
    build: ./pki-tsa
    container_name: xroad-pki-tsa
    hostname: tsa.xroad.local
    ports:
      - "8780:8080"
      - "8743:8443"
    depends_on:
      - pki-ca
    networks:
      - pki

  crl-server:
    image: nginx:alpine
    container_name: xroad-crl
    volumes:
      - ./crl:/usr/share/nginx/html:ro
    ports:
      - "8081:80"
    networks:
      - pki

networks:
  pki:
    driver: bridge

---

👷 4. Arquivos para cada serviço

init.sh (usado por todos)

#!/bin/bash
set -e
pkispawn -f /config.cfg -s $PKI_SUBSYSTEM
exec tail -f /var/log/pki/pki-xroad/system

Copie esse script para pki-ca/init.sh, pki-ocsp/init.sh, pki-tsa/init.sh.

---

Dockerfile (exemplo para pki-ca)

FROM quay.io/centos/centos:stream9
RUN dnf install -y pki-server java-17-openjdk && dnf clean all
COPY init.sh /init.sh
COPY ca.cfg /config.cfg
RUN chmod +x /init.sh
CMD ["/init.sh"]

Apenas substitua ca.cfg por ocsp.cfg ou tsa.cfg nos diretórios correspondentes.

---

🔧 5. Configurações

pki-ca/ca.cfg

[CA]
pki_instance_name=pki-xroad
pki_https_port=8443
pki_http_port=8080
pki_ajp_port=8009
pki_admin_name=caadmin
pki_admin_uid=caadmin
pki_admin_email=admin@xroad.local
pki_admin_password=SenhaF0rte!
pki_ds_database=pki_xroad_ca
pki_ds_hostname=localhost
pki_ds_password=SenhaF0rte!
pki_security_domain_name=XROAD-SECURITY

pki-ocsp/ocsp.cfg

[OCSP]
pki_instance_name=pki-xroad
pki_https_port=8543
pki_http_port=8180
pki_ajp_port=8019
pki_admin_name=ocspadmin
pki_admin_uid=ocspadmin
pki_admin_email=ocsp@xroad.local
pki_admin_password=SenhaF0rte!
pki_ds_database=pki_ocsp
pki_ds_hostname=localhost
pki_ds_password=SenhaF0rte!
pki_security_domain_name=XROAD-SECURITY

pki-tsa/tsa.cfg

[TKS]
pki_instance_name=pki-xroad
pki_https_port=8743
pki_http_port=8780
pki_ajp_port=8029
pki_admin_name=tsaadmin
pki_admin_uid=tsaadmin
pki_admin_email=tsa@xroad.local
pki_admin_password=SenhaF0rte!
pki_ds_database=pki_tks
pki_ds_hostname=localhost
pki_ds_password=SenhaF0rte!
pki_security_domain_name=XROAD-SECURITY

---

🌐 6. CRL Server (Nginx)

Crie crl/index.html com:

<h1>CRL Server online - Dogtag PKI</h1>

---

▶️ 7. Build e execução

cd ~/xroad-pki-docker
docker compose build
docker compose up -d

---

📊 8. Verificar status

docker ps

Containers esperados:

• xroad-pki-ca
• xroad-pki-ocsp
• xroad-pki-tsa
• xroad-crl

---

🔗 9. URLs locais de acesso

Componente	URL
CA Web UI	https://localhost:8443/ca/admin/console
OCSP	http://localhost:8180
TSA	https://localhost:8743
CRL	http://localhost:8081

---

🧹 10. Parar o ambiente

docker compose down

---

Você agora tem uma infraestrutura Dogtag PKI funcional para o X-Road.