Installation

sslbrain is installed using a personalized docker-compose.yml delivered from your sslbrain Cloud account. The file contains a one-time installation token and is bound to your account. We do not publish a generic installer script or a public download link.

Quick start

Sign up or log in to your account on sslbrain Cloud.
Download the personalized docker-compose.yml from the account dashboard.
Place the file on your Docker host and start the service with your usual Docker compose tooling.

First boot activates the account, validates the installation token, and pulls the signed components. Once the account dashboard shows status "active", you can open the web interface in your browser.

Note: If port 443 is already in use on the host, change the port mapping in the personalized docker-compose.yml (e.g. 8443:443). The container internally exposes port 443.

What the installation token is, and is not

The installation token is a one-time bootstrap. It binds the appliance to your account on first boot and is never used again. That means:

The token contains no customer data, no private keys, and no long-lived secret.
Once activation completes, the token is replaced with ongoing key-based authentication against sslbrain Cloud.
If the token is compromised before first use, you can re-issue a new one from the account and let the old one expire.

System requirements

Minimum

CPU	2 vCPU
RAM	2 GB
Disk	5 GB SSD
OS	Linux, Windows, macOS
Docker	Engine 24+

Any operating system that runs Docker is supported.

Network

The service needs outbound HTTPS to sslbrain endpoints and to your own servers for deployment. No inbound ports from the internet are required.

Direction	Destination	Port	Purpose
Inbound	Admin browsers (local)	443	Web UI + agent communication
Outbound	cloud.sslbrain.com	443	License, vault, signed component distribution
Outbound	acme.sslbrain.com	443	Certificate issuance
Outbound	Your servers (local)	22 / 5985	SSH / WinRM

Firewall tip: cloud.sslbrain.com and acme.sslbrain.com share fixed IP addresses for firewall whitelisting.

Data volume

sslbrain stores all persistent data in /data inside the container. The personalized docker-compose.yml maps /data to a named Docker volume.

Directory	Contents
/data/db/	SQLite database (configuration, certificates, server registrations)
/data/vault/	Encrypted private keys and credentials
/data/agents/	Agent configuration and connection status
/data/backups/	Automatic daily backups (database + vault)
/data/license/	License and account binding

Backup: Back up the entire /data volume. The account binding lives in the data directory, so you can relocate the appliance by restoring the volume on a new host.

Subsequent boots and restarts

After initial activation, the service unlocks against sslbrain Cloud automatically on every restart. You do not need to enter the token again. If the volume gets out of sync (for example if you re-create the container without restoring the volume), you can request a new installation token from your account.

Troubleshooting

Account not activated after first boot

If the account dashboard still shows "pending activation" after first boot, check in this order:

The container must be able to reach cloud.sslbrain.com:443 outbound.
The host clock must be correct. Significant skew rejects the token as expired.
The token is a one-time bootstrap. It must not have been used before. Re-issue from the account if in doubt.
The container log contains a specific error code. Contact support with that code if the issue does not resolve itself.

Port conflict

If port 443 is taken on the host, change the port mapping in the personalized docker-compose.yml from "443:443" to e.g. "8443:443" and start the service again.

CPU	4 vCPU
RAM	4 GB
Disk	20 GB SSD
Architecture	x86_64 / ARM64