Le ven. 28 août 2020 à 17:19, Darryl Philip Baker < darryl.ba...@northwestern.edu> a écrit :
> I am having an issue that I don’t understand. On RHEL6/CentOS and earlier > my predecessors would put self-signed certificates they wanted to trust in > /etc/pki/ca-trust/extracted/java/cacerts and it was good for the life of > the machine. On RHEL7 and I assume CentOS7 that file is part of a package > that is getting updated as part of the regular patches. That wipes out our > self-signed certificates. The way I understand the directions from Red Hat > we should put the certificate in pem format in the directory > /etc/pki/ca-trust/source/anchors and run update-ca-trust extract and that > will update the all the appropriate files. Including the cacerts file. That > does not seem to happen. What is the proper way of handling self-signed > certificates you want tomcat to trust? > > Off topic but you are folks who might know: > On a related note I have the same issue with Java applications not running > in Tomcat that use the same file /etc/pki….java/cacerts. Am I understanding > the PKI update process correctly? Am I putting the self-signed certificate > pem format file in the correct place? > > Darryl Baker, GSEC (he/him/his) > Sr. System Administrator > (...) > > You can put your certificates and truststore wherever you want as long as you tell Tomcat where they are in the conf/server.xml configuration file when you configure the connector using them. Self-signed certificates should never be used on a production server, they are not secure. It is up to you to handle the certificates when they expire unless you have some other automated way to renew them. Normally, the cacerts file distributed with Java is a JKS formatted trust store and the certificates it contains will eventually expire. That's why when Java is updated you may get an updated cacerts file as well. If you put your own certificates in that file and it gets updated when Java is updated, obviously you will lost your certificates. Just make a copy and put your certificates in the copy. In fact, you may not need the original file at all if only self-signed certificates are involved. All the certifications authorities in the file are then useless to you. Regards, ----------------- Daniel Savard
