Open in app

Sign in

Write

Sign in

Nexus簡單key與crt轉jks(try & error)

Nexus簡單key與crt轉jks(try & error)

ZONGRU Li
7 min readNov 25, 2022

我先裝了nexus-3.43.0–01-unix.tar.gz

有啟動過

並且先改了/opt/sonatype-work/nexus3/etc/nexus.properties

內容原本如下:

調整為如下:

並且修改/opt/nexus-3.43.0–01/etc/jetty/jetty-https.xml

#內容會有一行是
<New id="sslContextFactory" class..............的區塊,裡面會有三個值的設定
<Set name="KeyStorePassword">password</Set>
<Set name="KeyManagerPassword">password</Set>
<Set name="TrustStorePath">password</Set>

#將上述三個password改為上面建立keystore.jks使用的密碼例如keypass
<Set name="KeyStorePassword">keypass</Set>
<Set name="KeyManagerPassword">keypass</Set>
<Set name="TrustStorePath">keypass</Set>

這邊嘗試自建openssl的key與crt,然後轉為Nexus需要的keystore.jks格式

#自建openssl的key與crt檔:
sudo openssl req -x509 \
    -nodes \
    -days   3650 \
    -newkey rsa:4096 \
    -keyout self_signed.key \
    -out    self_signed_cert.crt \
    -subj   "/C=TW/L=Default City/O=pig/CN=43.206.128.154" \
    -addext "subjectAltName = DNS:43.206.128.154"
#透過以下指令將key與crt轉為jks,先轉成p12:
sudo openssl pkcs12 -export -in  self_signed_cert.crt \
-inkey self_signed.key -out server.p12

#再把p12轉為jks:
sudo keytool -importkeystore -keyalg EC -srckeystore server.p12 -destkeystore self_signed.jks -srcstoretype pkcs12

確認一下有沒有"/opt/sonatype-work/nexus3/etc/ssl"目錄(沒有的話要建)

看起來沒有
#先切換成nexus帳號
sudo su - nexus

#建立目錄:
mkdir -p /opt/sonatype-work/nexus3/etc/ssl

#把root製作的self_signed.jks複製進去:
cp /opt/self_signed.jks /opt/sonatype-work/nexus3/etc/ssl/
#重啟看看:
sudo su - nexus
/opt/nexus-3.43.0-01/bin/nexus start

後來發現進不去

#查看log:
vi /opt/sonatype-work/nexus3/log/jvm.log
#但是沒看到啥

後來用/opt/nexus-3.43.0–01/bin/nexus run指令啟動看到:

所以後面重新找指令重建jks

先移除失敗的jks檔:

然後找別招轉jks

參考LINK:

#找到另一個crt與key轉jks的,先轉pfx:
sudo openssl pkcs12 -export -out server.pfx -inkey \
 self_signed.key -in self_signed_cert.crt -password pass:keypass

#再從pfx轉jks(記得myalias,keypass密碼這些可以改):
sudo keytool -importkeystore -srckeystore server.pfx \
 -srcstoretype pkcs12 -srcalias 1 -srcstorepass \
 keypass -destkeystore keystore.jks -deststoretype jks \
 -deststorepass keypass -destalias myalias
我這張圖執行時有打錯密碼,上面指令我改對了

一樣搬到/opt/sonatype-work/nexus3/etc/ssl/keystore.jks

#搬到/opt/sonatype-work/nexus3/etc/ssl/keystore.jks:
sudo su - nexus
cp /opt/keystore.jks /opt/sonatype-work/nexus3/etc/ssl/keystore.jks
#再用run來看看(nexus身分下):
/opt/nexus-3.43.0-01/bin/nexus run

後來發現上面有敲錯密碼:

上面指令已經有調整了,反正就是重作jks再來run看到:

Web 8081可以進去:

Web 8443看起來...

懷疑就是RHEL的那個機台放置根憑證信任並更新

#所以把crt憑證檔搬到機台信任憑證的擺放處,然後更新:
sudo cp /opt/self_signed_cert.crt  /etc/pki/ca-trust/source/anchors/self_signed_cert.crt
sudo sudo update-ca-trust

連pfx也放看看

也看看搬到另一目錄:

後來curl發現其實只要curl完整就可以了

這篇有點亂,可能再整理一篇

--

--

ZONGRU Li
ZONGRU Li

Written by ZONGRU Li

144 Followers
19 Following

2022/11/17 開源部分個人筆記給LINE "Java程式語言討論區"社群,希望能對社群的技術學習做一點點貢獻.(掩面....記得退訂閱!

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams