Extract AWS RDS Global Bundle certificates into a PKCS#12 keystore compatible with Java

aws-rds-global-bundler-extractor.sh

#!/bin/bash

# Based on https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html
#
# Improvements
# - Removed Perl dependency

mydir=tmp/certs
if [ ! -e "${mydir}" ]
then
mkdir -p "${mydir}"
fi

truststore=${mydir}/rds-truststore.p12
storepassword=changeit

curl -sS "https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem" > ${mydir}/global-bundle.pem
awk 'split_after == 1 {n++;split_after=0} /-----END CERTIFICATE-----/ {split_after=1}{print > "rds-ca-" n ".pem"}' < ${mydir}/global-bundle.pem

for CERT in rds-ca-*; do
  alias=$(openssl x509 -noout -subject -in $CERT | awk '{ split($0, fields, "/"); for (f in fields) { if (fields[f] ~ "CN=") { print substr(fields[f], 4) } } }')
  echo "File: ${CERT}"
  echo "Importing $alias"
  keytool -import -file ${CERT} -alias "${alias}" -storepass ${storepassword} -keystore ${truststore} -noprompt
  rm $CERT
done

rm ${mydir}/global-bundle.pem

echo "Trust store content is: "

keytool -list -v -keystore "$truststore" -storepass ${storepassword} | grep Alias | cut -d " " -f3- | while read alias
do
   expiry=`keytool -list -v -keystore "$truststore" -storepass ${storepassword} -alias "${alias}" | sed -n 's/^Valid.*until: \(.*$\)/\1/p'`
   echo " Certificate ${alias} expires in '$expiry'"
done