This repository provides the required tools for a local docker deployment of the PKI Toolkit provided by the Munich University of Applied Sciences.
- Valid Sectigo Account
- Enabled API in Sectigo Cert-Manager
- Installed Docker
- OIDC at your IDP or any other OIDC provider
- Overall 5 FQDNs
- Frontend (e.g. pki.example.edu)
- Urls for EAB, PKI and Domainmanagement REST-Service
- ACME
Setting up and configuring an shibboleth IDP to provide an working OIDC endpoint can be pretty cumberstone.
The following configuration must be adapted for the own domains but provides a basic setup. The second client allows the use of OAuth2 beside OIDC. This results in 'readable' JWT for the frontend and the backend.
{
"scope":"openid profile email offline_access Certificates Domains EAB",
"redirect_uris":["https://pki.example.edu/api/auth/callback/oidc"],
"client_id":"pki.example.edu"
"subject_type":"pairwise",
"client_secret":"XXXXXXXXXXXXX",
"response_types": [
"code"
],
"grant_types": [
"authorization_code",
"refresh_token"
],
"audience": [
"https://api.example.edu"
]
}, {
"client_id":"https://api.example.edu"
}
Please ensure that the following points are also configured:
- Active
OAUTH2.TokenAudience
profile in the relying-party.xml - The Client Secret is passed as HTTP-Header and thus should contain any strange special characters. We recommend a long alpha-numeric string
Before building and starting the containers serveral environment variables should be configured. Therefor you should copy the .env.example
file to .env
and set the appropriate values.
Variable | Description | Example Value |
---|---|---|
SECTIGO_USER | Your Sectigo Username | youruser |
SECTIGO_PASSWORD | Your Sectigo Password | yourpassword |
SMIME_ORG_ID | The Organization ID to be used for SMIME Certificates (can be found in the Sectigo Certificate Manager -> Organization -> ID) | 1234 |
SSL_ORG_ID | The Organization ID to be used for SSL Certificates (normaly the same as for SMIME) | 1234 |
SSL_TERM | The requested validity of the SSL certificate. | 365 |
SSL_PROFILE | The requested profile of the SSL certificate | 15863 |
SMIME_TERM | The requested validity of the SMIME certificate. | 1095 |
SMIME_STUDENT_TERM | The requested validity of the SMIME certificate for students. | 365 |
SMIME_PROFILE | The requested profile of the SMIME certificate. | 16307 |
SMIME_KEY_LENGTH | The requested keylength of the SMIME certificate. | 3072 |
SMIME_KEY_TYPE | The requested key type of the SMIME certificate. (Currently only RSA is supported and recommended) | RSA |
JWKS_URI | The URI to your JSON Web Key Set to validate the OIDC/OAuth2 Authentication | https://your.idp.example.edu/idp/profile/oidc/keyset |
AUDIENCE | The used adiennce for OAuth2 (must be the same value as AUTH_RESOURCE ) |
https://api.example.edu |
NEXTAUTH_URL | The canonical URL of your site | https://pki.example.edu |
NEXT_PUBLIC_AUTH_IDP | The IDP that shal be used for OIDC authentication | https://sso.example.edu |
NEXT_PUBLIC_EAB_HOST | The API Backend host for EAB operations | https://eab.api.example.edu |
NEXT_PUBLIC_PKI_HOST | The API Backend host for PKI operations | https://pki.api.example.edu |
NEXT_PUBLIC_DOMAIN_HOST | The API Backend host for Domain operations | https://domain.api.example.edu |
NEXT_PUBLIC_ACME_HOST | The host for ACME operations | https://domain.api.example.edu |
NEXT_PUBLIC_SENTRY_DSN | In case of using sentry the sentry DSN to upload error reports | |
AUTH_CLIENT_ID | The OIDC Client ID | pki |
AUTH_CLIENT_SECRET | The OIDC Client Secret | Random String |
AUTH_IDP | The IDP that shal be used for OIDC authentication (Should be the same as during build time) | https://sso.example.edu |
AUTH_RESOURCE | The requested OIDC resource to get OAuth2 working. | https://api.example.edu |
AUTH_SECRET | The Next.JS Auth Secret used to encrypt JWT | Random String |
After setting all required values you can build the docker containers.
docker compose build
Afterwards you should be able to start the deployment
docker compose up -d