Skip to content

Instantly share code, notes, and snippets.

Last active August 17, 2023 17:12
Show Gist options
  • Save galan/ec8b5f92dd325a97e2f66e524d28aaf8 to your computer and use it in GitHub Desktop.
Save galan/ec8b5f92dd325a97e2f66e524d28aaf8 to your computer and use it in GitHub Desktop.
Imports the letsencrypt certificates into the java keystore
#!/bin/bash -e
# JAVA_HOME can be passed as argument if not set
if [ ! -d $JAVA_HOME ]; then
if [ ! -f "$KEYSTORE" ]; then
echo "Keystore not found in '$KEYSTORE'"
exit 1
cp $KEYSTORE $KEYSTORE.`date +"%Y%m%d%H%m%S"`
# to be idempotent
keytool -delete -alias isrgrootx1 -keystore $KEYSTORE -storepass changeit 2> /dev/null || true
keytool -delete -alias isrgrootx2 -keystore $KEYSTORE -storepass changeit 2> /dev/null || true
keytool -delete -alias letsencryptauthorityx1 -keystore $KEYSTORE -storepass changeit 2> /dev/null || true
keytool -delete -alias letsencryptauthorityx2 -keystore $KEYSTORE -storepass changeit 2> /dev/null || true
keytool -delete -alias letsencryptauthorityx3 -keystore $KEYSTORE -storepass changeit 2> /dev/null || true
keytool -delete -alias letsencryptauthorityx4 -keystore $KEYSTORE -storepass changeit 2> /dev/null || true
keytool -trustcacerts -keystore $KEYSTORE -storepass changeit -noprompt -importcert -alias isrgrootx1 -file letsencryptauthorityx1.der
keytool -trustcacerts -keystore $KEYSTORE -storepass changeit -noprompt -importcert -alias isrgrootx2 -file letsencryptauthorityx2.der
keytool -trustcacerts -keystore $KEYSTORE -storepass changeit -noprompt -importcert -alias letsencryptauthorityx1 -file lets-encrypt-x1-cross-signed.der
keytool -trustcacerts -keystore $KEYSTORE -storepass changeit -noprompt -importcert -alias letsencryptauthorityx2 -file lets-encrypt-x2-cross-signed.der
keytool -trustcacerts -keystore $KEYSTORE -storepass changeit -noprompt -importcert -alias letsencryptauthorityx3 -file lets-encrypt-x3-cross-signed.der
keytool -trustcacerts -keystore $KEYSTORE -storepass changeit -noprompt -importcert -alias letsencryptauthorityx4 -file lets-encrypt-x4-cross-signed.der
rm -f letsencryptauthorityx1.der letsencryptauthorityx2.der lets-encrypt-x1-cross-signed.der lets-encrypt-x2-cross-signed.der lets-encrypt-x3-cross-signed.der lets-encrypt-x4-cross-signed.der
Copy link

leganz commented Sep 11, 2019

You saved my day! Thx for sharing!

Copy link

amcsSH commented Oct 29, 2019

Hi, thanks for your script. I would suggest, that the test if JAVA_HOME is set or empty should be enhanced your script:

   if [ "x$JAVA_HOME" == "x"  ]; then
        echo "Set JAVA_HOME env. variable"
   if [ ! -d $JAVA_HOME ]; then ...

because JAVA_HOME is set but empty.

Copy link

Thanks for doing the initial work in this @galan.

I've forked your version to update it with information on the current set (as of 2020-02-07) of Let's Encrypt's intermediate certs. At the same time I've incorporated @amcsSH's suggestion above, and used the Bash 4 dictionary feature to remove the redundant duplication of certificate names and files.

Copy link

Kendak commented Jun 19, 2020

If you don't have set PATH to $JAVA_HOME/jre/bin/ then keytool won't work.
Here a simple fix:
change all commands "keytool" with this:


Copy link

danielsz commented Dec 15, 2021

Please refer to LetsEncrypt's Chain of Trust document for up-to-date references.
Hint: I needed to adapt the script to download and install

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment