You will need at least two keys from your SSL provider (you already got the certificate request):
Then if those aren’t delivered, you might find it on their website:
eventually concatenate those two,
cd /etc/httpd/ssl/ cat intermediatecert rootcert > issuer-concat-cert.crt chmod 400 issuer-concat-cert.crt
For testing purposes, e.g. for CAS SSO, this dummy cert will do,
keytool -genkey -keyalg RSA -alias cas -keystore keystore.jks -validity 360 -keysize 2048
Note. it’s worse than self-signed by your own CA, this is just self-self-signed (no idea how the cert can sign itself)
From the docker host, copy the real certs into the shared volume,
cd /etc/httpd/ssl/ ls -ldhF /data/tomcatprod/ssl/ mkdir /data/tomcatprod/ssl/ cp -pi private_key.pkey certificate.crt issuer-concat-cert.crt /data/tomcatprod/ssl/ chmod 700 /data/tomcatprod/ssl/ chmod 400 /data/tomcatprod/ssl/*
From the container, convert the separated PKCS12/Apache certs to a centralized .p12 (also PKCS12).
chmod 755 /root/ #chown -R ~/apps/ cd /root/apps/ssl/ openssl pkcs12 -export -in certificate.crt -inkey private_key.pkey -out certificate.p12 -name cas -CAfile issuer-concat-cert.crt -caname root -chain (enter private key's passphrase, it's the same as for apache) (enter and confirm a storepass for the export, my advice is to use the same as the passphrase, since this also override the key passphrase!) chmod 400 certificate.p12
Note: the passphrase was changed during the export: it’s now the same as the export storepass!
No need to convert from PKCS12 to JKS for CAS which is able to read a P12 keystore too.
However for other apps, if PKCS12 is no good, here’s the way to go,
#keytool -importkeystore -srckeystore certificate.p12 -srcstoretype pkcs12 -srcalias cas -destkeystore certificate.jks -deststoretype jks -destalias cas #-deststorepass #chmod 400 certificate.jks
Now check the keystore,
keytool -v -list -keystore certificate.p12 | grep -i alias #-storetype pkcs12 #-storepass #keytool -v -list -keystore certificate.jks
If you get this ERROR when launching the cas app with java,
javax.crypto.BadPaddingException: Given final block not properly padded
==> means wrong key (or bad passphrase)…