Scrap site for its certificates, validate and create a ca bundle, for the use in downloading a local copy of Certificate Authorities (CAs)

scrap-ca-to-bundle.sh

#!/bin/bash


# Download CA Certs (.crt) from a URL
# example: http://www.banxico.org.mx/servicios/certificados-ies-firma-electr.html
# Then check which certificates are valid and bundle them to a pem file

WEB_URL=http://www.banxico.org.mx/servicios/certificados-ies-firma-electr.html
SSL_CERT_DIR=ca
CA_BUNDLE=$SSL_CERT_DIR/ca-chain-bundle.pem
# If your require to first erase old crts (not necessary)
# rm -Rf $SSL_CERT_DIR

# Prepare directories
mkdir -p $SSL_CERT_DIR
mkdir -p $SSL_CERT_DIR/crts
mkdir -p $SSL_CERT_DIR/expired
mkdir -p $SSL_CERT_DIR/valid

# Fetch all crts from a specific web location
wget -r -nd -e robots=off -P $SSL_CERT_DIR/crts -A crt $WEB_URL

# Check CA endtime certificates:
TZ='GMT'
for f in $(find $SSL_CERT_DIR/crts -type f -name "*.crt")
do
  echo "Processing $f file..."
  DATE=`openssl x509 -startdate -noout -in $f`
  DATE=${DATE/notBefore=/}
  DATE=${DATE/ GMT/}
  if [ `date -j -f "%b %d %H:%M:%S %Y" "$DATE" +%s` -ge `date +%s` ];
  then
      echo "$f not valid yet: $DATE"
      mv $f $SSL_CERT_DIR/expired
      continue
  fi
  DATE=`openssl x509 -enddate -noout -in $f`
  DATE=${DATE/notAfter=/}
  DATE=${DATE/ GMT/}
  if [ `date -j -f "%b %d %H:%M:%S %Y" "$DATE" +%s` -le `date +%s` ];
  then
      echo "$f expired: $DATE"
      mv $f $SSL_CERT_DIR/expired
      continue
  fi
  mv $f $SSL_CERT_DIR/valid
done

cat $SSL_CERT_DIR/valid/*.crt > $CA_BUNDLE


# Verify certificate against local case
#openssl verify -verbose -x509_strict -CAfile certificate.pem -CApath nosuchdir $CA_BUNDLE

I am using it to download Banxico .crt certificates and create a valid bundle certificate so I can test against Digital Siganture (Annexo 20) SAT certificates.