Dave, Keys generated/signed by CA plus we need 100% automated solution. We don't just have 1 CAS server, we have 1,000 or so, and they each need unique keys. Our CAS use case is unique, in that we essentially run CAS w/applications at the edge of the network, with extremely poor communications back up to an centralized enterprise; so we have to automate as much as possible.
Ideally, I'd just submit a couple PRs to make the PrivateKeyFactoryBean handle multiple outputs from the PEMParser, but i'm working against a tight schedule, and can't wait for a CAS release at the moment. On Tuesday, December 4, 2018 at 12:12:29 PM UTC-5, David Curry wrote: > > This doesn't really answer your question (I don't know the answer), but > can't you just start CAS and let it generate the keys (they end up in > /etc/cas/saml), then stop CAS and copy the keys somewhere for > safekeeping/redistribution? > > For our installation with multiple CAS servers behind a load balancer > that's what I did, and copied the keys into the Maven overlay's > etc/cas/saml directory. Then when I install everything, I end up with the > same keys (and metadata) on all the servers. And we've uploaded them to a > SAML SP here and there, as well. Seems to work fine, so far. > > Or do you need to use keys generated/signed by your CA or something? > > --Dave > > > > -- > > DAVID A. CURRY, CISSP > *DIRECTOR OF INFORMATION SECURITY* > THE NEW SCHOOL • INFORMATION TECHNOLOGY > > 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 > +1 212 229-5300 x4728 • david...@newschool.edu <javascript:> > > > On Tue, Dec 4, 2018 at 11:59 AM Curtis Ruck <curti...@gmail.com > <javascript:>> wrote: > >> Does anyone know how to generate the idp-signing.key/crt with openssl? >> It seems CAS is hardcoded to expect a PEMKeyPair >> <https://github.com/apereo/cas/blob/5.3.x/core/cas-server-core-util-api/src/main/java/org/apereo/cas/util/crypto/PrivateKeyFactoryBean.java#L57> >> object >> coming out of PEMParser, but I can't figure out how to use OpenSSL to >> generate an appropriate key file. >> >> Yes, CAS generates it fine, using bouncycastle, but I have to generate >> these keys/certificates outside of CAS so I can distribute the trust to the >> various SAML 2.0 applications. >> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to cas-user+u...@apereo.org <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/36a4ed0f-a015-4438-a9a1-501f9fd5eaec%40apereo.org >> >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/36a4ed0f-a015-4438-a9a1-501f9fd5eaec%40apereo.org?utm_medium=email&utm_source=footer> >> . >> > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c426ef78-6b75-43d4-9c77-4fe4701e1466%40apereo.org.