For the latest version, please use Certificate Lifecycle Manager 6.3.0!

Supported Platforms

Deployment Options

  • Linux Package

  • Docker Compose

  • Kubernetes

Supported Operating Systems for Linux Packages

MTG provides linux packages for the following operating systems:

  • Ubuntu 20.04

  • Ubuntu 22.04

  • Ubuntu 24.04

  • SUSE Linux 15.5

  • Redhat Enterprise Linux (RHEL) 8.x

  • Redhat Enterprise Linux (RHEL) 9.x

More details and installation instructions can be found here.

Docker Compose

Installations in docker environments are supported using MTG docker images and a custom MTG docker compose file. Instructions can be found here.

Kubernetes

Kubernetes (K8s) Specific Requirements

  • Kubernetes version: v1.24.0 or higher

  • Tools: helm and kubectl must be installed

  • Permissions: Sufficient privileges to deploy Helm resources on the cluster

Instructions can be found here.

Software Access and Delivery

Requirements differ depending on the chosen deployment method.

  • For Docker and Kubernetes deployments, access to the MTG Docker Registry is mandatory.

  • For Linux package-based deployments, installation packages are available via our linux package repository or through manual downloads from the Download Center.

MTG Docker Registry Access (Docker and Kubernetes only)

  • Network access to repo.mtg.de and public image registries is required to pull container images.

  • Credentials (username/password) are required for authentication.

  • Access should be validated by successfully pulling test images, such as:

    • mtg-clm-ui:4.1.0

    • kms-ui:3.3.0

Linux Package Access

For Linux package-based deployments, installation packages can be obtained through two supported channels:

  1. MTG Linux Package Repository Recommended for standard installations where internet access is available.

  2. MTG Download Center Provides manual package downloads. This method is particularly useful in air-gapped or restricted environments.

Hardware Requirements (Per Server / Node)

Minimum Requirements

  • RAM: 8 GB

  • CPU Cores: 4

  • Disk: 50 GB available (SSD recommended)

  • RAM: 32 GB

  • CPU Cores: 8

  • Disk: 200 GB available (SSD recommended)

Databases

The following database servers are supported:

Database Version

MariaDB

10.6

Postgres

16

Oracle Database

19.3
Only MariaDB Galera Clusters are currently supported for clustered database deployments. See MariaDB Galera Cluster Configuration Guide.

Hardware Security Modules

MTG ERS can integrate with various Hardware Security Modules (HSMs) for secure key management.

Supported HSMs

The following HSM systems are officially supported:

  • Securosys HSMs

  • Utimaco Security Server, CryptoServer SeGen 2, and CSe series

  • Thales Luna HSMs compatible with Luna 10.x Universal Client

  • Nitrokey HSM 2

  • nCipher nShield Connect XC2

General Requirements

  • Network access to the HSM must be available from the ERS deployment environment.

  • Connections are supported exclusively via the PKCS#11 interface.

Preliminary Setup

Before integration with ERS, the following steps must be completed on the HSM:

  • Initialization of the slot (performed by the Security Officer).

  • Creation of a crypto-user PIN.

  • Provision of the Cryptoki library (.so file) required for ERS integration.

Third Party Components

Keycloak

Keycloak is an open source software product that allows single sign-on with identity and access management aimed at modern applications and services.

Currently, only Keycloak 26.0 is supported.

General Network Requirements

To ensure proper operation of MTG ERS, all servers involved in the deployment must meet the following network requirements:

  • Inter-server connectivity: All servers must be able to communicate with each other over the relevant ports, including:

    • HTTP/HTTPS for application communication

    • Database ports for the chosen DBMS

    • HSM ports if a Hardware Security Module is used

  • DNS resolution: All servers must be able to resolve the DNS names of all nodes in the deployment, as well as their own hostname.

  • Firewall and routing: Ensure that any firewalls, security groups, or routing policies allow the above traffic during both installation and normal operation.

Optional MTG Engineer Support for Initial Setup

MTG offers an optional service where our engineers can assist with the initial deployment of MTG ERS.

Access Requirements (if support is requested)

To ensure a smooth setup, MTG engineers require temporary access to the systems being installed:

  • SSH access (preferred) to all target servers or nodes, with credentials or key-based authentication provided in advance.

  • Sufficient user privileges to perform installation and configuration tasks (e.g., root or sudo access).

  • Network access to internal services, databases, HSMs, and other infrastructure components.

  • Access to any required configuration files or secrets in advance (e.g., database credentials, PKCS#11 libraries).