This doesn't really answer your question (I don't know the answer), but can't you just start CAS and let it generate the keys (they end up in /etc/cas/saml), then stop CAS and copy the keys somewhere for safekeeping/redistribution?
For our installation with multiple CAS servers behind a load balancer that's what I did, and copied the keys into the Maven overlay's etc/cas/saml directory. Then when I install everything, I end up with the same keys (and metadata) on all the servers. And we've uploaded them to a SAML SP here and there, as well. Seems to work fine, so far. Or do you need to use keys generated/signed by your CA or something? --Dave -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* THE NEW SCHOOL • INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 212 229-5300 x4728 • david.cu...@newschool.edu On Tue, Dec 4, 2018 at 11:59 AM Curtis Ruck <curtis.r...@gmail.com> wrote: > Does anyone know how to generate the idp-signing.key/crt with openssl? It > seems CAS is hardcoded to expect a PEMKeyPair > <https://github.com/apereo/cas/blob/5.3.x/core/cas-server-core-util-api/src/main/java/org/apereo/cas/util/crypto/PrivateKeyFactoryBean.java#L57> > object > coming out of PEMParser, but I can't figure out how to use OpenSSL to > generate an appropriate key file. > > Yes, CAS generates it fine, using bouncycastle, but I have to generate > these keys/certificates outside of CAS so I can distribute the trust to the > various SAML 2.0 applications. > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cas-user+unsubscr...@apereo.org. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/36a4ed0f-a015-4438-a9a1-501f9fd5eaec%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/36a4ed0f-a015-4438-a9a1-501f9fd5eaec%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAO%2BJtqRL2x6yLSy0Y3RDdYY%2BhLURhs%2BanP_yRry%3DEpVZg%40mail.gmail.com.
