So while I'm eating lunch I did a bit of fiddling around...
It looks like you can do:
openssl genrsa -des3 -out tmp.key 2048
When it prompts for a password, enter "xxxx" (or whatever, just remember
it). This gives you an encrypted key file. Then run:
openssl rsa -in tmp.key -out server-signing.key
and enter the password again. This gives you an unencrypted key. Then you
can run:
openssl req -key server-sigining.key -new -x509 -days 3650 -subj /CN=
server.domain.com -out server-signing.crt
And you'll get a certificate that seems to resemble what CAS creates.
I haven't tried actually feeding these to CAS to see if it likes them, but
looking at them with openssl, they seem to have the same properties, except
that the one I generated as above has this X509v3 Extension:
X509v3 Basic Constraints:
CA:TRUE
that the CAS-generated one doesn't have. You can make that go away with an
OpenSSL config file, but the syntax of those things is (apparently) beyond
me. Left as an exercise to the reader. :-)
--Dave
--
DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY
71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • [email protected]
On Tue, Dec 4, 2018 at 12:55 PM Curtis Ruck <[email protected]> wrote:
> This works though: openssl rsa -in test2.pem -out test3.pem
>
> It properly converts from PKCS#8 into PKCS#1, which then triggers BC to
> return a PEMKeyPair object.
>
>
> On Tuesday, December 4, 2018 at 12:16:43 PM UTC-5, rbon wrote:
>>
>> Curtis,
>>
>> Will this work:
>> https://stackoverflow.com/questions/991758/how-to-get-pem-file-from-key-and-crt-files
>>
>> Ray
>>
>> On Tue, 2018-12-04 at 08:59 -0800, Curtis Ruck wrote:
>>
>> Does anyone know how to generate the idp-signing.key/crt with openssl?
>> It seems CAS is hardcoded to expect a PEMKeyPair
>> <https://github.com/apereo/cas/blob/5.3.x/core/cas-server-core-util-api/src/main/java/org/apereo/cas/util/crypto/PrivateKeyFactoryBean.java#L57>
>> object
>> coming out of PEMParser, but I can't figure out how to use OpenSSL to
>> generate an appropriate key file.
>>
>> Yes, CAS generates it fine, using bouncycastle, but I have to generate
>> these keys/certificates outside of CAS so I can distribute the trust to the
>> various SAML 2.0 applications.
>>
>> --
>> Ray Bon
>> Programmer analyst
>> Development Services, University Systems
>> 2507218831 | CLE 019 | [email protected]
>>
>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/b4ac43b2-ba8f-43a6-bd49-921ebb32f176%40apereo.org
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/b4ac43b2-ba8f-43a6-bd49-921ebb32f176%40apereo.org?utm_medium=email&utm_source=footer>
> .
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAMAQMDK5vjTrbv5-vgiAVGWofTyjQGa2YQujq3uiiT6wg%40mail.gmail.com.
