Siqn
Back to documentation

Running the Services

This guide provides instructions for running the Quantum-Safe PKI services. Before proceeding, ensure that you have completed the building and configuration steps.

Service Dependencies

The Quantum-Safe PKI services have dependencies on each other. It's important to start them in the correct order:

  1. CA Service: This is the core service and should be started first.
  2. Transparency Log: This service depends on the CA Service for CRL checks.
  3. ACME Server: This service depends on the CA Service for certificate issuance.
  4. Signing Service: This service depends on the CA Service for CRL checks.
  5. Device Service: This service depends on the CA Service for certificate issuance.

Starting the Services

You can start each service individually using the binaries in the bin/ directory:

Starting the CA Service

# Start the CA Service ./bin/ca-service # Or with specific configuration ./bin/ca-service --config ca-config.json

The CA Service will generate a self-signed root certificate and EdDilithium2 signing key on first startup if they don't already exist in the KEY_DIR directory.

Starting the Transparency Log

# Start the Transparency Log ./bin/transparency-log # Or with specific configuration ./bin/transparency-log --config ct-config.json

The Transparency Log will initialize an empty log file if one doesn't already exist at the path specified by LOG_FILE.

Starting the ACME Server

# Start the ACME Server ./bin/acme-server # Or with specific configuration ./bin/acme-server --config acme-config.json

The ACME Server requires a PostgreSQL database to be set up and configured via the DATABASE_URL environment variable or configuration file.

Starting the Signing Service

# Start the Signing Service ./bin/signing-service # Or with specific configuration ./bin/signing-service --config signing-config.json

The Signing Service will initialize an SQLite database if one doesn't already exist at the path specified by DB_DSN.

Starting the Device Service

# Start the Device Service ./bin/device-service # Or with specific configuration ./bin/device-service --config device-config.json

The Device Service will initialize an SQLite database if one doesn't already exist at the path specified by DEVICE_DB.

Running with Docker

If you've built the Docker images as described in the Building the Services guide, you can run the services using Docker:

# Run CA Service docker run -p 5000:5000 -v $(pwd)/keys:/app/keys quantum-safe-pki/ca-service # Run ACME Server docker run -p 4000:4000 -v $(pwd)/keys:/app/keys -e DATABASE_URL=postgres://user:password@host.docker.internal:5432/acme_server quantum-safe-pki/acme-server # Run Transparency Log docker run -p 6000:6000 -v $(pwd)/keys:/app/keys -v $(pwd)/ct-log.dat:/app/ct-log.dat quantum-safe-pki/transparency-log # Run Signing Service docker run -p 7000:7000 -v $(pwd)/keys:/app/keys -v $(pwd)/signing.db:/app/signing.db quantum-safe-pki/signing-service # Run Device Service docker run -p 8000:8000 -v $(pwd)/keys:/app/keys -v $(pwd)/devices.db:/app/devices.db quantum-safe-pki/device-service

Using Docker Compose

For convenience, the project includes a docker-compose.yml file that can be used to start all services at once:

# Start all services docker-compose up # Start a specific service docker-compose up ca-service

The docker-compose.yml file includes configuration for all services, including a PostgreSQL database for the ACME Server.

Verifying Service Health

Each service provides health check endpoints that can be used to verify that the service is running correctly:

# Check CA Service health curl -k https://localhost:5000/healthz # Check ACME Server health curl -k https://localhost:4000/healthz # Check Transparency Log health curl -k https://localhost:6000/healthz # Check Signing Service health curl -k https://localhost:7000/healthz # Check Device Service health curl -k https://localhost:8000/healthz

The -k flag is used to skip certificate verification, as the services use self-signed certificates by default.

Running in Production

For production deployments, consider the following recommendations:

  • Use PKCS#11 HSMs: Configure the CA Service and Signing Service to use PKCS#11 hardware security modules for key storage.
  • Set up TLS properly: Use proper TLS certificates from a trusted CA for the services.
  • Configure firewalls: Restrict access to the services using firewalls and network policies.
  • Set up monitoring: Use the /metrics endpoints to monitor the services with Prometheus.
  • Use a reverse proxy: Set up a reverse proxy like Nginx or Traefik in front of the services.
  • Regular backups: Set up regular backups of the databases and key files.

Using the CLI

The CLI tool can be used to interact with the Signing Service. Here are some examples:

# Create a new account ./bin/cli account create --url https://localhost:7000 # Sign a file ./bin/cli sign --api-key your-api-key --file path/to/file.bin --url https://localhost:7000 # Sign a file with SBOM ./bin/cli sign --api-key your-api-key --file path/to/file.bin --sbom path/to/sbom.json --url https://localhost:7000 # Verify a signature ./bin/cli verify --file path/to/file.bin --signature path/to/signature.bin --url https://localhost:7000

Troubleshooting

If you encounter issues while running the services, here are some troubleshooting tips:

  • Check logs: Each service outputs logs to stdout/stderr. Increase the log level by setting LOG_LEVEL=debug for more detailed logs.
  • Check health endpoints: Use the /healthz and /readyz endpoints to check service health.
  • Check connectivity: Ensure that the services can communicate with each other and with the databases.
  • Check certificates: Ensure that the certificates are valid and trusted by the clients.
  • Check permissions: Ensure that the services have the necessary permissions to read and write files and access the databases.

Common Issues

IssuePossible CauseSolution
CA Service fails to startMissing or invalid key filesCheck that the KEY_DIR directory exists and has the correct permissions
ACME Server fails to connect to databaseIncorrect database URL or missing databaseCheck the DATABASE_URL environment variable and ensure the database exists
Services fail to communicateTLS certificate issues or network connectivityCheck that the services can reach each other and that the TLS certificates are valid
CLI fails to connect to Signing ServiceIncorrect URL or API keyCheck the URL and API key used by the CLI and ensure the Signing Service is running

Next Steps

Now that you have the services running, you can proceed to:

  • API Endpoints: Learn about the API endpoints provided by each service.
  • Authentication: Learn about the authentication mechanisms used by the services.
  • Revocation: Learn about certificate revocation and CRL management.