OpenXPKI with mTLS A Docker Compose Setup

본 문서는 Docker Compose로 mTLS를 위한 OpenXPKI 환경을 배포하는 문서이다.

본 문서는 OpenXPKI를 이용한 인증서 시스템 구축 문서의 연장선이다.


docker-compose.yml 
services:
  db:
#    restart: always
    container_name: OpenXPKI_Database
    image: mariadb:10
    command: --default-authentication-plugin=mysql_native_password
    user: mysql:mysql
    volumes:
      - openxpkidb:/var/lib/mysql
      - openxpkidbsocket:/var/run/mysqld/
      - ./openxpki-config/contrib/sql/schema-mariadb.sql:/docker-entrypoint-initdb.d/schema-mariadb.sql
    healthcheck:
      test: ["CMD-SHELL", "[ -S /var/run/mysqld/mysqld.sock ]"]
      interval: 5s
      timeout: 3s
      retries: 5
    environment:
      MYSQL_DATABASE: openxpki
      MYSQL_USER: openxpki
      MYSQL_PASSWORD: openxpki
      MYSQL_ROOT_PASSWORD: topsecret

  server:
#    restart: always
    container_name: OpenXPKI_Server
    image: whiterabbitsecurity/openxpki3
    command: /usr/bin/openxpkictl start server --nd
    user: openxpki:openxpki
    group_add:
     - openxpkiclient
    tmpfs:
      - /tmp
    volumes:
      - ./openxpki-config:/etc/openxpki
      - openxpkilog:/var/log/openxpki
      - openxpkisocket:/run/openxpkid
      - openxpkidbsocket:/var/run/mysqld/
      - openxpkidownload:/var/www/download
      # this will not work on all OS
      - "/etc/timezone:/etc/timezone:ro"
      - "/etc/localtime:/etc/localtime:ro"
    healthcheck:
      test: /usr/bin/openxpkictl status server
      interval: 5s
      timeout: 3s
      retries: 5
    depends_on:
      db:
        condition: service_healthy

  client:
#    restart: always
    container_name: OpenXPKI_Client
    image: whiterabbitsecurity/openxpki3
    command: /usr/bin/openxpkictl start client --nd
    user: openxpkiclient:openxpkiclient
    group_add:
     - www-data
    tmpfs:
      - /tmp
    volumes:
      - ./openxpki-config/client.d:/etc/openxpki/client.d
      - openxpkilogui:/var/log/openxpki-client
      - openxpkisocket:/run/openxpkid
      - openxpkiclientsocket:/run/openxpki-clientd
      - openxpkidbsocket:/var/run/mysqld/
    healthcheck:
      test: /usr/bin/openxpkictl status client
      interval: 5s
      timeout: 3s
      retries: 5
    depends_on:
      server:
        condition: service_healthy

  web: &web-apache
    container_name: OpenXPKI_WebUI
    image: whiterabbitsecurity/openxpki3
    command: /usr/bin/start-webserver apache
    ports:
      - "8080:80/tcp"
      - "8443:443/tcp"
    volumes:
      - ./openxpki-config/contrib/apache2-openxpki-site.conf:/etc/apache2/sites-enabled/openxpki.conf
      - ./openxpki-config/tls/:/etc/openxpki/tls/
      - openxpkiclientsocket:/run/openxpki-clientd
      - openxpkidownload:/var/www/download:ro
    healthcheck:
      test: wget -q http://localhost/healthcheck/ping
      interval: 5s
      timeout: 3s
      retries: 5
    depends_on:
      client:
        condition: service_healthy


volumes:
  openxpkidb:
  openxpkisocket:
  openxpkiclientsocket:
  openxpkidbsocket:
  openxpkilog:
  openxpkilogui:
  openxpkidownload:


apache2-openxpki-site.conf 
    SSLEngine On
    SSLCertificateKeyFile /etc/openxpki/tls/private/server.key # 키 파일 교체
    SSLCertificateFile /etc/openxpki/tls/endentity/xpki.kreonet.net.crt # 인증 파일 교체
    SSLCACertificateFile /etc/openxpki/tls/OpenXPKIRootCA20250724.crt # CA 파일 추가
    SSLVerifyClient require # 인증서 외 접근금지
#   SSLVerifyClient optional_no_ca # 접근 선택 가능
    SSLVerifyDepth 3 # 인증서 최대 3개 운용
    SSLOptions +StdEnvVars +ExportCertData