具有非自签名证书的 CAS gradle 覆盖

Question

我正在使用 CAS 使用 gradle 覆盖方法。我可以将它与自签名证书一起使用。但是，当我尝试使用来自 FreeIPA 证书颁发机构的证书时，我收到以下错误消息：

2018-02-03 13:39:54,298 ERROR [org.apache.catalina.core.StandardService] - <Failed to start connector [Connector[HTTP/1.1-8443]]>
org.apache.catalina.LifecycleException: Failed to start component [Connector[HTTP/1.1-8443]]
    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:167) ~[tomcat-embed-core-8.5.24.jar!/:8.5.24]

...

Caused by: java.lang.IllegalArgumentException: java.io.IOException: Alias name [null] does not identify a key entry
    at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:116) ~[tomcat-embed-core-8.5.24.jar!/:8.5.24]

我已将 FreeIPA CA 证书添加到 /usr/java/jdk1.8.0_152/jre/lib/security/cacerts

然后，将证书放入 /etc/cas/thekeystore

Answer 1

这是解决方案：

openssl req -nodes -newkey rsa:2048 -sha256 -keyout cas.key -out cas.csr

[向证书颁发机构发送 CSR]

[下载CA证书PEM文件]

[下载CAS证书PEM文件]

cp cas.key /etc/pki/tls/private/.
cp cas.crt /etc/pki/tls/certs/.
cp freeipa_ca.crt  /etc/pki/tls/certs/.
cat cas.pem freeipa_ca.pem > cas_all.pem
openssl pkcs12 -export -inkey /etc/pki/tls/private/cas.key -in cas_all.pem  -name cas -out cas.p12
keytool -delete -alias cas -keystore /etc/cas/thekeystore
keytool -list  -keystore /etc/cas/thekeystore -v
keytool -importkeystore -srckeystore cas.p12 -srcstoretype pkcs12 -destkeystore /etc/cas/thekeystore