1. cas单点登录使用是https

提示Error is [java.security.cert.CertificateException: No subject alternative names present]

image.png

    因为某些原因，访问cas以及子系统希望通过ip来访问并且要使用https协议。
网上很多文章说要使用CAS单点登录必须要配置域名, cas server是不能通过ip访问的，这实际上是错误的，这和cas无关，目前可以通过java 来生成证书，需要JDK1.7以上版本，因为需要-ext参数
查阅keytool参数文档，keytool可以使用-ext san=dns:www.test.com 或者 -ext san=ip:127.0.0.1 来包括Subject Alternative Name

2.生成keystore

keytool -genkey -alias resoft -keyalg RSA -keysize 1024 -keypass 123456 -storepass 123456  -dname "CN=127.0.0.1,OU=lfrip,O=lfrip,L=Hk,ST=HN,C=CN" -ext san=ip:127.0.0.1  -validity 3650   -keystore /hnjry/resoft.keystore

3.生成cer

keytool -exportcert -alias resoft -keystore /hnjry/resoft.keystore -file /hnjry/resoft.cer -rfc

4.生成key 文件

import sun.misc.BASE64Encoder;

import java.io.FileInputStream;
import java.security.KeyStore;
import java.security.PrivateKey;

public class SslKey {

    public static KeyStore getKeyStore(String keyStorePath, String password) throws Exception {
        FileInputStream is = new FileInputStream(keyStorePath);
        KeyStore ks = KeyStore.getInstance("JKS");
        ks.load(is, password.toCharArray());
        is.close();
        return ks;
    }

    public static PrivateKey getPrivateKey() {
        try {
            BASE64Encoder encoder = new BASE64Encoder();
            KeyStore ks = getKeyStore("D:/resoft.keystore", "123456");
            PrivateKey key = (PrivateKey) ks.getKey("resoft", "123456".toCharArray());
            String encoded = encoder.encode(key.getEncoded());
            System.out.println("-----BEGIN RSA PRIVATE KEY-----");
            System.out.println(encoded);
            System.out.println("-----END RSA PRIVATE KEY-----");
            return key;
        } catch (Exception e) {
            return null;
        }
    }

    public static void main(String[] args) {
        getPrivateKey();
    }
}

5.导入cacerts证书库文件

keytool -import -alias resoft -keystore /hnjry/java/jdk1.8.0_181/jre/lib/security/cacerts -file /hnjry/resoft.cer -trustcacerts

6.查看cacerts证书库文件

keytool -list -v -keystore /hnjry/java/jdk1.8.0_181/jre/lib/security/cacerts

7.nginx配置

将生成的key 、cer文件配置到nginx 中.

ssl on;
        ssl_certificate      /opt/resoft.cer;
        ssl_certificate_key  /opt/resoft.key;

删除cacerts证书库文件

keytool -delete -alias resoft -keystore /hnjry/java/jdk1.8.0_181/jre/lib/security/cacerts  -storepass changeit

参考文章

https://blog.csdn.net/qq_33873431/java/article/details/79354148
https://www.cnblogs.com/shindo/p/6117647.html