Last active
January 7, 2020 19:43
-
-
Save steini/d40a59ae4a9036c4d5a4 to your computer and use it in GitHub Desktop.
import RDS certificates to java keystore on alpine / osx
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env sh | |
OLDDIR="$PWD" | |
if [ -z "$CACERTS_FILE" ]; then | |
CACERTS_FILE=$JAVA_HOME/jre/lib/security/cacerts | |
fi | |
mkdir /tmp/rds-ca && cd /tmp/rds-ca | |
echo "Downloading RDS certificates..." | |
curl https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem > rds-combined-ca-bundle.pem | |
csplit -sk rds-combined-ca-bundle.pem "/-BEGIN CERTIFICATE-/" "{$(grep -c 'BEGIN CERTIFICATE' rds-combined-ca-bundle.pem | awk '{print $1 - 2}')}" | |
for CERT in xx*; do | |
# extract a human-readable alias from the cert | |
ALIAS=$(openssl x509 -noout -text -in $CERT | | |
perl -ne 'next unless /Subject:/; s/.*CN=//; print') | |
echo "importing $ALIAS" | |
# import the cert into the default java keystore | |
keytool -import \ | |
-keystore $CACERTS_FILE \ | |
-storepass changeit -noprompt \ | |
-alias "$ALIAS" -file $CERT | |
done | |
cd "$OLDDIR" | |
rm -r /tmp/rds-ca |
@steini, one suggestion though, is to import this into jssecacerts (and copy it from cacerts if not present)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Line 15 should be changed to
csplit -sz rds-combined-ca-bundle.pem '/-BEGIN CERTIFICATE-/' '{*}'
With current version of split, first key would always be broken.