Skip to main content

Prerequisites

Hardware requirements

Standard deployments require a cluster of three nodes. Each node serves as both a controlling node and a worker node. Minimum hardware requirements for each node in the cluster are:

  • CPU: 8

  • RAM: 32 GB

  • Processor speed: 2.5 GHz+

  • Hard disk: 100GB+

MariaDB

An open-source relational database. Download the latest version at https://mariadb.com/kb/en/what-is-mariadb-106/.

  • Version 10.6

  • If using a Galera cluster, DigiCert recommends using MaxScale to connect.

Docker

  • Docker Community Edition

  • Version 20.x

Configure HTTP proxies (optional)

Internet access is required during installation. If your servers require a proxy to reach the internet, they will need to be configured in three different places:

URLs

You must have access to these URLs from DigiCert ONE:

  • https://storage.googleapis.com

  • https://k8s.io

  • https://Kubernetes.io

  • https://rancher.com

  • https://helm.sh

  • https://github.com

Client workstation

A client workstation is required to install, configure, and deploy applications on the target virtual machines.

We recommend using Linux, though MacOS Mojave is supported.

  • Linux (CentOS Linux 7 x86_84, RHEL 8, or Ubuntu 10 recommended)

  • MacOS Mojave

  • Windows (using Cygwin)

To install, configure, and deploy applications on a Kubernetes cluster, you must install three client tools on the client computer. Download the appropriate tools for the chosen client workstation platform.

Kubernetes

A command-line tool for running commands against Kubernetes clusters.

Helm

A command-line tool for installing applications in Kubernetes clusters.

Rancher Kubernetes Engine (RKE)

Command line tool for installing Rancher Kubernetes Engine (RKE): Each version of RKE has a specific list of supported Kubernetes versions. Use the version that supports Kubernetes version <= 1.21.x

Ports

For all DigiCert ONE configurations, you must open these ports:

  • Port 80: For HTTP (unencrypted traffic)

  • Port 443: For HTTPS (encrypted traffic)

Other ports you need to open depend on how you have configured RKE, MariaDB, and other DigiCert ONE dependencies. For more information, refer to the product documentation for these services.

DNS entries

This table describes the DNS entries you need to configure to allow access to DigiCert ONE services.

All DNS entries* should be set to be either external (if your instance of DigiCert ONE is meant to be publicly available on the internet) or internal (if you are installing DigiCert ONE is an isolated, air-gapped network).

DNS entry

Example

Description

<your_domain>

one.digicert.com

Main FQDN to access your DigiCert ONE installation.

clientauth.<your_domain>

clientauth.one.digicert.com

FQDN for client certificate authentication.

crl.<your_domain>

crl.one.digicert.com

FQDN used by the DigiCert ONE certificate revocation list (CRL) service.

ocsp.<your_domain>

ocsp.one.digicert.com

FQDN used by the DigiCert ONE online certificate status protocol (OCSP) service.

cacerts.<your_domain>

cacerts.one.digicert.com

FQDN used by the DigiCert ONE Authority Information Access (AIA) service.

mgmt.<your_domain>*

mgmt.one.digicert.com

Optional. FQDN for RKE Manager.

maxscale-mgmt.<your_domain>*

maxscale-mgmt.<your_domain>

Optional. FQDN for MariaDB MaxScale GUI dashboard.

Anmerkung

The DNS entries for mgmt.<your_domain> and maxscale-mgmt.<your_domain> should always be set to be internal.

In diesem Abschnitt: