Skip to content

Quick Start

Jump to bottom
Chris Zinda edited this page Mar 7, 2026 · 2 revisions

Quick Start Guide

1. Clone and Configure

git clone https://github.com/czinda/cert-revocation-lab.git
cd cert-revocation-lab

# Option A: SOPS encrypted secrets (recommended)
./scripts/setup-sops.sh

# Option B: Manual .env
cp .env.example .env
vi .env   # Set all CHANGEME values

2. Start the Lab

# RSA-4096 PKI only (fastest startup)
./start-lab.sh

# All three PKI hierarchies
./start-lab.sh --all

# Specific combinations
./start-lab.sh --rsa --ecc       # RSA + ECC
./start-lab.sh --dual            # RSA + ML-DSA-87
./start-lab.sh --clean --all     # Fresh start (removes all data)

The startup sequence:

  1. Base infrastructure (PostgreSQL, Redis, Zookeeper)
  2. Kafka event bus + topic creation
  3. PKI containers (389DS + Dogtag CAs)
  4. PKI hierarchy initialization (pkispawn)
  5. FreeIPA (if available)
  6. AWX + EDA
  7. Security tools (EDR, SIEM, CT Log, Policy Engine, CDP, Chain Visualizer)
  8. Jupyter Lab
  9. Monitoring (Loki, Promtail, Prometheus, Grafana)

3. Verify Everything Works

# Check all service health
lab status

# Run the 10-tier validation
lab validate

4. Run Your First Test

# End-to-end: issue cert → trigger event → verify revocation
lab test --pki-type rsa --scenario "Certificate Private Key Compromise"

# Run all 26 security scenarios
lab test --all

5. Explore

What Command / URL
Trust chain visualization http://localhost:8090
Grafana dashboards http://localhost:3000
Jupyter notebooks http://localhost:8888
Issue a certificate lab issue --cn test.cert-lab.local
EST enrollment lab est-enroll --cn device.cert-lab.local
Policy check lab policy-check server.cert-lab.local
CRL status lab crl-list
Compliance scan python scripts/compliance-scan.py --all

7. Semaphore UI (Optional)

For web-based management, set up Ansible Semaphore:

# Configure Semaphore with all task templates
./scripts/setup-semaphore.sh

Access at http://localhost:3010 to run playbooks, check status, and manage certificates from a browser.

8. Stop the Lab

# Stop all containers (preserves data)
./stop-lab.sh

# Stop and remove all data
./stop-lab.sh --clean

# Stop specific PKI only
./stop-lab.sh --rsa
./stop-lab.sh --ecc
./stop-lab.sh --pqc

Home

Getting Started
Architecture
PKI Operations
Security & Compliance
Operations & Testing
Key & HSM Management
Monitoring
Advanced Topics

Clone this wiki locally