import RDS certificates to java keystore on alpine / osx

import-rds-certs.sh

#!/usr/bin/env sh

OLDDIR="$PWD"

if [ -z "$CACERTS_FILE" ]; then
    CACERTS_FILE=$JAVA_HOME/jre/lib/security/cacerts
fi

mkdir /tmp/rds-ca && cd /tmp/rds-ca

echo "Downloading RDS certificates..."

curl https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem > rds-combined-ca-bundle.pem

csplit -sk rds-combined-ca-bundle.pem "/-BEGIN CERTIFICATE-/" "{$(grep -c 'BEGIN CERTIFICATE' rds-combined-ca-bundle.pem | awk '{print $1 - 2}')}"

for CERT in xx*; do
    # extract a human-readable alias from the cert
    ALIAS=$(openssl x509 -noout -text -in $CERT |
                   perl -ne 'next unless /Subject:/; s/.*CN=//; print')
    echo "importing $ALIAS"
    # import the cert into the default java keystore
    keytool -import \
            -keystore  $CACERTS_FILE \
            -storepass changeit -noprompt \
            -alias "$ALIAS" -file $CERT
done

cd "$OLDDIR"

rm -r /tmp/rds-ca

Line 15 should be changed to
csplit -sz rds-combined-ca-bundle.pem '/-BEGIN CERTIFICATE-/' '{*}'
With current version of split, first key would always be broken.

@nickzam: @steini made it clear that the bash script above is for "on alpine / osx ", your script doesn't work for me on osx. Looks like the csplit command is not compatible with either system.

@steini, one suggestion though, is to import this into jssecacerts (and copy it from cacerts if not present)