I am having an issue that I don’t understand. On RHEL6/CentOS and earlier my predecessors would put self-signed certificates they wanted to trust in /etc/pki/ca-trust/extracted/java/cacerts and it was good for the life of the machine. On RHEL7 and I assume CentOS7 that file is part of a package that is getting updated as part of the regular patches. That wipes out our self-signed certificates. The way I understand the directions from Red Hat we should put the certificate in pem format in the directory /etc/pki/ca-trust/source/anchors and run update-ca-trust extract and that will update the all the appropriate files. Including the cacerts file. That does not seem to happen. What is the proper way of handling self-signed certificates you want tomcat to trust?
Off topic but you are folks who might know: On a related note I have the same issue with Java applications not running in Tomcat that use the same file /etc/pki….java/cacerts. Am I understanding the PKI update process correctly? Am I putting the self-signed certificate pem format file in the correct place? Darryl Baker, GSEC (he/him/his) Sr. System Administrator Distributed Application Platform Services Northwestern University 1800 Sherman Ave. Suite 6-600 – Box #39 Evanston, IL 60201-3715 darryl.ba...@northwestern.edu<mailto:darryl.ba...@northwestern.edu> (847) 467-6674
