Home / Build / Build your Issuer
Steps to Build your Issuer
This section includes a thorough description of the steps to build your own Issuer.
1. Python
The Issuer was tested with
- Python v. 3.9.2
and should only be used with Python 3.9 or 3.10.
If you don't have it installed, download it from here and follow the Python Developer's Guide.
2. Flask
The Issuer was tested with
- Flask v. 2.3
and should only be used with Flask v. 2.3 or higher.
To install Flask, follow the Installation Guide.
3. Run your Issuer
To run the Issuer, follow these simple steps (some of which may have already been completed when installing Flask) for Linux/macOS or Windows.
-
Clone the Issuer repository:
git clone git@github.com:eu-digital-identity-wallet/eudi-srv-web-issuing-eudiw-py.git -
Create a
.venvfolder within the cloned repository:cd eudi-srv-web-issuing-eudiw-py python3 -m venv .venv -
Activate the environment:
Linux/macOS
. .venv/bin/activateWindows
. .venv\Scripts\Activate -
Install or upgrade pip
python -m pip install --upgrade pip -
Install Flask, gunicorn and other dependencies in virtual environment
pip install -r app/requirements.txt -
Setup secrets
-
Copy
app/app_config/__config_secrets.pytoapp/app_config/config_secrets.pyand modify secrets. -
Service Configuration
-
Configure the service according to documentation
-
Run the Issuer
In the root directory of the clone repository, insert one of the following command lines to run the Issuer.
- Linux/macOS/Windows (on
http://127.0.0.1:5000orhttp://localhost:5000)
flask --app app run- Linux/macOS/Windows (on
http://127.0.0.1:5000orhttp://localhost:5000with flag debug)
flask --app app run --debug - Linux/macOS/Windows (on
4. Run your local Issuer over HTTPS
- Generate a self signed certificate and a private key
-
Linux/macOS
Example:
openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:2048 -nodes -sha256 -subj '/CN=localhost' -extensions EXT -config <( \ printf "[dn]\nCN=localhost\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=IP.1:127.0.0.1\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth")-
Windows
Create the file localhost.conf using the following as an example:
[req] default_bits = 2048 distinguished_name = req_distinguished_name req_extensions = req_ext x509_extensions = v3_req prompt = no [req_distinguished_name] countryName = XX stateOrProvinceName = N/A localityName = N/A organizationName = Self-signed certificate commonName = 120.0.0.1: Self-signed certificate [req_ext] subjectAltName = @alt_names [v3_req] subjectAltName = @alt_names [alt_names] IP.1 = 127.0.0.1Use the configuration file above to generate the certificate and key
openssl req -x509 -nodes -days 730 -newkey rsa:2048 -keyout key.pem -out cert.pem -config localhost.conf
-
-
Add certificate to environment variables
-
Linux/macOS
export REQUESTS_CA_BUNDLE="/path/to/certificate" -
Windows
set REQUESTS_CA_BUNDLE="\path\to\certificate" -
Run the Issuer with certificate and key
flask --app app run --cert=cert.pem --key=key.pem
5. Make your local Issuer available on the Internet (optional)
If you want to make your local Issuer available on the Internet, we recommend to use NGINX reverse proxy and certbot (to generate an HTTPS certificate).
5.1 Install and configure NGINX
-
Follow the installation guide
-
Configure your local Issuer. For example, use the following Nginx configuration file (for a Linux installation):
server { server_name FQDN; # Change to the FQDN you want to use listen 80; access_log /var/log/nginx/issuer.eudiw.access.log; error_log /var/log/nginx/issuer.eudiw.error.log; root /var/www/html; # Recommended proxy_busy_buffers_size 512k; proxy_buffers 4 512k; proxy_buffer_size 256k; # Provider backend location / { # The proxy_pass directive assumes that your local Issuer is running at http://127.0.0.1:5000/. # If not, adjust it accordingly. proxy_pass http://127.0.0.1:5000/; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } -
Restart the Nginx server
5.2 Install and run certbot to get a free HTTPS certificate
-
Follow the installation guide
-
Run
certbotto get a free HTTPS certificate. Thecertbotwill also configure the Issuer Nginx configuration file with the HTTPS certificate -
Restart the Nginx server and goto
https:\\FQDN\(FQDN configured in the Nginx configuration file)
6. Docker
To run the Issuer in Docker, follow these steps:
-
Install Docker following the official instructions for your operating system
-
Download the Dockerfile
-
Build the Docker:
sudo docker build -t eudiw-issuer . -
Create 2 directories to be mounted:
-
First directory named
config_secretsThis directory will have the cert.pem and key.pem generated in Section 4 above
As well as the config_secrets.py based on this example
-
Second directory named
pid-issuer, inside will be a directorycertandprivKeyThe
certdirectory has the certificates of the trusted CAs in PEM format as well as the Document/Credential signer (DS) certificates in DER formatThe
privKeydirectory has the Document/Credential signer (DS) private keysExample:
docker-issuer ├── Dockerfile ├── config_secrets │ ├── config_secrets.py │ ├── cert.pem │ └── key.pem └── pid-issuer ├── cert │ ├── PID-DS-0001_UT_cert.der │ └── PIDIssuerCAUT01.pem └── privKey └── PID-DS-0001_UT.pem
-
-
Run Docker
If running a basic configuration without EIDAS node or Dynamic presentation, their respective variables can be removed from the run command below.
sudo docker run -d \ --name eudiw-issuer \ -e SERVICE_URL="https://your.service.url/" \ -e EIDAS_NODE_URL="https://your.eidas.node.url/" \ -e DYNAMIC_PRESENTATION_URL="https://your.dynamic.presentation.url/" \ -v ./config_secrets:/root/secrets \ -v ./pid-issuer:/etc/eudiw/pid-issuer \ -p 5000:5000 \ eudiw-issuer -
Docker logs
Issuer logs in real time:
sudo docker logs -f eudiw-issuerAll logs:sudo docker logs eudiw-issuer -
Stop Docker Issuer
sudo docker stop eudiw-issuer