Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
#!/bin/bash
set -e
JAVA_HOME=${1-text}
[ $# -eq 0 ] && { echo "Usage: sudo $0 \$(/usr/libexec/java_home -v '1.8*')" ; exit 1; }
KEYSTORE=$JAVA_HOME/jre/lib/security/cacerts
wget https://letsencrypt.org/certs/letsencryptauthorityx1.der
wget https://letsencrypt.org/certs/letsencryptauthorityx2.der
wget https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.der
wget https://letsencrypt.org/certs/lets-encrypt-x2-cross-signed.der
wget https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.der
wget https://letsencrypt.org/certs/lets-encrypt-x4-cross-signed.der
# to be idempotent
keytool -delete -alias isrgrootx1 -keystore $KEYSTORE -storepass changeit 2> /dev/null || true
keytool -delete -alias isrgrootx2 -keystore $KEYSTORE -storepass changeit 2> /dev/null || true
keytool -delete -alias letsencryptauthorityx1 -keystore $KEYSTORE -storepass changeit 2> /dev/null || true
keytool -delete -alias letsencryptauthorityx2 -keystore $KEYSTORE -storepass changeit 2> /dev/null || true
keytool -delete -alias letsencryptauthorityx3 -keystore $KEYSTORE -storepass changeit 2> /dev/null || true
keytool -delete -alias letsencryptauthorityx4 -keystore $KEYSTORE -storepass changeit 2> /dev/null || true
keytool -trustcacerts -keystore $KEYSTORE -storepass changeit -noprompt -importcert -alias isrgrootx1 -file letsencryptauthorityx1.der
keytool -trustcacerts -keystore $KEYSTORE -storepass changeit -noprompt -importcert -alias isrgrootx2 -file letsencryptauthorityx2.der
keytool -trustcacerts -keystore $KEYSTORE -storepass changeit -noprompt -importcert -alias letsencryptauthorityx1 -file lets-encrypt-x1-cross-signed.der
keytool -trustcacerts -keystore $KEYSTORE -storepass changeit -noprompt -importcert -alias letsencryptauthorityx2 -file lets-encrypt-x2-cross-signed.der
keytool -trustcacerts -keystore $KEYSTORE -storepass changeit -noprompt -importcert -alias letsencryptauthorityx3 -file lets-encrypt-x3-cross-signed.der
keytool -trustcacerts -keystore $KEYSTORE -storepass changeit -noprompt -importcert -alias letsencryptauthorityx4 -file lets-encrypt-x4-cross-signed.der
rm -f letsencryptauthorityx1.der letsencryptauthorityx2.der lets-encrypt-x1-cross-signed.der lets-encrypt-x2-cross-signed.der lets-encrypt-x3-cross-signed.der lets-encrypt-x4-cross-signed.der
@JuniorBatista

This comment has been minimized.

Copy link

@JuniorBatista JuniorBatista commented May 25, 2016

You must restart the server after running the sh?

@JasonJanelle

This comment has been minimized.

Copy link

@JasonJanelle JasonJanelle commented Jun 20, 2016

@JuniorBatista yes you will have to restart any java processes that need to use the new certs

@EHJ-52n

This comment has been minimized.

Copy link

@EHJ-52n EHJ-52n commented Mar 15, 2017

@Firefishy I have an version for jenkins users: install_lets-encrypt_jenkins-jdks.sh

The keytool version I have requires to change the option -importcert to -import.

@Pablohn26

This comment has been minimized.

Copy link

@Pablohn26 Pablohn26 commented May 31, 2017

@EHJ-52n maybe this helps you

@Sicaine

This comment has been minimized.

Copy link

@Sicaine Sicaine commented Sep 21, 2018

If you are using debian, you can use the following package: https://packages.debian.org/de/stretch/ca-certificates-java, link the trust store of your jvm to that one and use the update-ca-certificates tool to integrate custome certificates.

But there is a big chance, that after using the ca-certificates-java, you don't need to add those certificates manually anyway.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment