Edit on GitHub

Installing Rest PKI Core on Rocky Linux

To install an on-premises instance of Rest PKI Core on Rocky Linux, follow the steps below. For other platforms, click here.

Prerequisites

  • Rocky Linux 8.x or greater

Install the ASP.NET Core Runtime 6.0

Important

These instructions assume you are logged in as root. If you are not, run sudo su - before continuing!

Install the ASP.NET Core runtime package:

yum install aspnetcore-runtime-6.0

To test the installation, run:

dotnet --list-runtimes

The expected output is similar to:

Microsoft.AspNetCore.App 6.0.* [*/dotnet/shared/Microsoft.AspNetCore.App]
Microsoft.NETCore.App 6.0.* [*/dotnet/shared/Microsoft.NETCore.App]
Tip

For other operating system versions and alternative ways to install the ASP.NET Core Runtime, see this page

Install Rest PKI Core

Create a local user to run the Rest PKI Core instance:

mkdir /var/restpkicore
useradd --system --home-dir /var/restpkicore restpkicore
chown restpkicore:restpkicore /var/restpkicore

Create the site folder, download and extract the binaries:

Note

To test the next version of Rest PKI Core, currently in Release Candidate stage, replace restpkicore-x.y.z.tar.gz on the following commands with restpkicore-3.0.0-rc01.tar.gz. Beware: Release Candidate versions are not production-ready and thus should only be installed on staging or test environments!

mkdir /usr/share/restpkicore
curl -O https://cdn.lacunasoftware.com/restpkicore/restpkicore-2.5.0.tar.gz
tar xzf restpkicore-2.5.0.tar.gz -C /usr/share/restpkicore
chmod -R a=,u+rwX,go+rX /usr/share/restpkicore
Note

Site binaries can be read by any user and can only be changed by root users. This means that the application user (restpkicore) can read but not change the files, which is intentional.

Create the configuration file from the given template:

mkdir /etc/restpkicore
cp /usr/share/restpkicore/config-templates/linux/appsettings.conf /etc/restpkicore/
chown -R root:restpkicore /etc/restpkicore
chmod -R a=,u+rwX,g+rX /etc/restpkicore
Note

Configuration files can only be read by members of the restpkicore group and can only be changed by the root user. This is important to protect sensitive data stored on the configuration files from unauthorized access.

Configure Rest PKI Core

Edit the configuration file to configure your Rest PKI Core instance:

nano /etc/restpkicore/appsettings.conf

On the [General] section, to fill the EncryptionKey setting generate a 256-bit key to encrypt sensitive data stored on the database:

openssl rand -base64 32

Also on the [General] section, to fill the RootPasswordHash setting choose a strong password for root access to the dashboard and hash it:

dotnet /usr/share/restpkicore/Lacuna.RestPki.Site.dll -- hash-root-pass
Note

If you wish to enable user management, leave the RootPasswordHash setting blank and follow the steps on Configure OpenID Connect instead

Fill the remaining settings according to the instructions on the configuration file.

Set up a daemon

Create the service definition file:

touch /etc/systemd/system/restpkicore.service
nano /etc/systemd/system/restpkicore.service

Enter the following:

[Unit]
Description=Rest PKI Core

[Service]
WorkingDirectory=/usr/share/restpkicore
ExecStart=/usr/bin/dotnet Lacuna.RestPki.Site.dll
Restart=always
RestartSec=10
KillSignal=SIGINT
SyslogIdentifier=restpkicore
User=restpkicore
Environment=ASPNETCORE_ENVIRONMENT=Linux
Environment=ASPNETCORE_URLS=http://+:5004
Environment=DOTNET_PRINT_TELEMETRY_MESSAGE=false

[Install]
WantedBy=multi-user.target

Save the file, then enable the service and start it:

systemctl enable restpkicore
systemctl start restpkicore
systemctl status restpkicore

The expected output is similar to:

* restpkicore.service - Rest PKI Core
   Loaded: loaded (/etc/systemd/system/restpkicore.service; enabled; vendor preset: enabled)
   Active: active (running) since Sun 2019-07-07 05:50:04 UTC; 4min 22s ago
 Main PID: 10960 (dotnet)
    Tasks: 31 (limit: 2319)
   CGroup: /system.slice/restpkicore.service
           └─10960 /usr/bin/dotnet Lacuna.RestPki.Site.dll

...

Dec 04 12:45:08 server.patorum.com restpkicore[32562]: Hosting environment: Production
Dec 04 12:45:08 server.patorum.com restpkicore[32562]: Content root path: /usr/share/restpkicore
Dec 04 12:45:08 server.patorum.com restpkicore[32562]: Now listening on: http://localhost:5004
Dec 04 12:45:08 server.patorum.com restpkicore[32562]: Application started. Press Ctrl+C to shut down.
Hint: Some lines were ellipsized, use -l to show in full.

If necessary, restart the service: systemctl restart restpkicore

To test that the Rest PKI Core instance is running, run:

curl http://localhost:5004/api/system/info

The expected output is something like:

{"productName":"Lacuna Rest PKI Core","productVersion":"1.x.x","spaVersion":"...","timestamp":"..."}

Set up a reverse proxy server

Note

If you prefer to use Apache instead of Nginx, see this article.

Install Nginx (if not already installed):

yum install nginx
systemctl enable nginx.service
systemctl start nginx.service

Test that Nginx is running:

curl -I http://localhost/

Check the first lines of the output, which should be similar to:

HTTP/1.1 200 OK
Server: nginx/...
...

Edit the Nginx configuration:

nano /etc/nginx/nginx.conf

Delete or comment out (with #s) the entire server section, located right below the clause include /etc/nginx/conf.d/*.conf;. After commenting out the section, the configuration file should look similar to this:

...

http {
    ...

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;

#    server {
#        listen       80 default_server;
#        listen       [::]:80 default_server;
#        server_name  _;
#        root         /usr/share/nginx/html;
#
#        # Load configuration files for the default server block.
#        include /etc/nginx/default.d/*.conf;
#
#        location / {
#        }
#
#        error_page 404 /404.html;
#            location = /40x.html {
#        }
#
#        error_page 500 502 503 504 /50x.html;
#            location = /50x.html {
#        }
#    }

    ...
}

Create a site configuration file for Rest PKI Core:

touch /etc/nginx/conf.d/restpkicore.conf
nano /etc/nginx/conf.d/restpkicore.conf

Enter the following, replacing the dashboard domain on the server_name entry with your own domain:

server {
    listen        80;
    server_name   localhost restpkicore.yourcompany.com;
    location / {
        proxy_pass         http://localhost:5004;
        proxy_http_version 1.1;
        proxy_set_header   Upgrade $http_upgrade;
        proxy_set_header   Connection keep-alive;
        proxy_set_header   Host $host;
        proxy_cache_bypass $http_upgrade;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;
    }
}
Tip

Ideally, your site configuration should contain the entries ssl_certificate and ssl_certificate_key with a valid SSL certificate. This configuration is outside of the scope of these instructions.

Allow Nginx to access the Rest PKI Core service:

setsebool -P httpd_can_network_connect on

Test the Nginx configuration and reload it:

nginx -t
nginx -s reload

Test the site:

curl http://localhost/api/system/info

Allow HTTP and HTTPS traffic to your system (if not already allowed):

firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --zone=public --add-port=443/tcp --permanent
firewall-cmd --reload

See also