Link Search Menu Expand Document

Certdog RedHat Installation


  • A RedHat 8 installation. Note that other versions may work but this version is confirmed

  • Java 8 or above

  • An account with sudo/root permissions

  • The ability to install mongodb community edition

It is recommended that a separate, dedicated user be created which will run the certdog application, although it can be run under an existing account

Install Mongo DB

Follow the instructions to download and install Mongo DB Community Edition e.g.

At the time of writing, the following was performed:

Create a new yum repo file for mongodb e.g.:

sudo vi /etc/yum.repos.d/mongodb-org-6.0.repo

Populate this file with the following and then save:

name=MongoDB Repository

Then run:

sudo yum install -y mongodb-org

And start the database with the following command:

sudo systemctl start mongod

Confirm mongo DB is running by typing:


and ensure you connect and get the mongo db prompt. Type exit, to exit the prompt

Note, by default the mongo configuration is here:


and mongo database files here:


Get Certdog

See here for the download locations


From the location where you wish to locate certdog, extract the installation e.g.

sudo tar xvfz ./certdog.tar.gz

This will extract all files into ./certdog

Navigate to:


and run:


The configuration will start and will take a few seconds to complete:

Configuring Certdog...please wait...

Configuration is complete

If you see any errors or things do not seem to be working, first examine the install log:


Other logs, including the application (certdog.log) and startup/shutdown logs are stored here:


Certdog will be available on on port 1443 e.g.:

CRLs and OCSP services will be available on port 1480

Follow the steps below to configure the firewall to forward the standard ports of 443 and 80 to these internal ports

Note that until you configure a trusted SSL certificate you will be presented with browser warnings when navigating to this address. See the Final Configuration section below to configure a trusted SSL certificate

Port Forwarding

If using the firewall, running the following commands will forward port 443 to the internal port 1443 and port 80 to the internal port 1480

firewall-cmd --add-forward-port=port=443:proto=tcp:toport=1443
firewall-cmd --add-forward-port=port=80:proto=tcp:toport=1480
firewall-cmd --runtime-to-permanent

Note that this port forwarding may not work from the local machine but should be available when calling this machine using its IP address/FQDN

Final Configuration

Now follow the guide here to configure an SSL certificate

Post Install

Open a browser on the server and navigate to:

Login with the initial username and password as displayed at the end of the installer. These are temporary credentials - as soon as you first login with these details you will be forced to set a new password

Follow the guide here to configure an SSL certificate


In this folder:


There are two scripts:


You may examine these scripts, or configure such that the application starts on boot following standard processes for your OS

To start and stop the mongo database you may use the following commands:

sudo systemctl start mongod
sudo systemctl stop mongod

Troubleshooting and Known Issues

CRL Locations

When creating a new CA and setting Generate CRLs you may get the error: The CRL filename must be a complete path. The path in the filename specified: [path to CRL file] does not exist

This is because the path is not reported consistently. The correct path should be:

[installation directory]/tomcat/crlwebapps/certdog#crl/[CRL Name].crl



But may be displayed as something like the following:


Just update the to the correct path manually


When creating a new CA , if the Create OCSP Server option was selected but no certificate has been issued to the OCSP server, check the logs

If a Connection refused error such as the following is seen:

Unable to renew OCSP signing certificate for OCSP Server: OCSPServer-test-64143f37f95e3d1466af2316-6735. Error: I/O error on POST request for "": Connect to [/] failed: Connection refused (Connection refused); nested exception is org.apache.http.conn.HttpHostConnectException: Connect to [/] failed: Connection refused (Connection refused)

This is because the server assumes the API will be listening on port 443. On RedHat the default internal port will be 1443

To correct, from OCSP Servers, edit the OCSP configuration of the OCSP server in question and alter the URL so that the 1443 port is specified e.g. change from:


Monitor the logs and OCSP server configuration and confirm that a certificate is then generated

Other Troubleshooting

Examine the log files as mentioned above to see if anything obvious appears

Attempt to stop and start certdog using the ./ and scripts

Try restarting the database then restarting certdog

Full Certdog Documentation can be found here: