Skip to content

Instantly share code, notes, and snippets.

@kawaz

kawaz/add-digicert-to-cacerts.sh

Last active April 2, 2020 12:13
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save kawaz/734be555493bcb8b52f5a78f6cd08010 to your computer and use it in GitHub Desktop.
Save kawaz/734be555493bcb8b52f5a78f6cd08010 to your computer and use it in GitHub Desktop.
Download ZIP
digicertのCA証明書をJavaに追加する
Raw
add-digicert-to-cacerts.sh
#!/bin/bash
(
cd /tmp
wget http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt
/bin/cp -ap /etc/pki/java/cacerts /tmp/etc_pki_java_cacerts.backup.$(sha1sum /etc/pki/java/cacerts|perl -pe's/ .*//')
keytool -import -trustcacerts -alias digicert -file DigiCertSHA2SecureServerCA.crt -keystore /etc/pki/java/cacerts -storepass changeit
/bin/cp -ap /etc/pki/java/cacerts /tmp/etc_pki_java_cacerts.backup.$(sha1sum /etc/pki/java/cacerts|perl -pe's/ .*//')
diff <(keytool -list -keystore etc_pki_java_cacerts.backup.2f8da47e32696e71801b52ff57fe4b246776a850 -storepass changeit|sort) \
<(keytool -list -keystore /etc/pki/java/cacerts -storepass changeit|sort)
)
@kawaz
Copy link
Author

kawaz commented Apr 2, 2020

対象サーバに必要なCA証明書を調べるのは以下で行いました。

$ echo | openssl s_client -connect conf.uw.docomo.ne.jp:443 | openssl x509 -text | grep -i issuer
depth=3 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
verify return:1
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
verify return:1
depth=0 C = JP, ST = Tokyo, L = Chiyoda-Ku, O = NTT DOCOMO.INC, OU = Service Design Department 02, CN = conf.uw.docomo.ne.jp
verify return:1
DONE
        Issuer: C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA
                CA Issuers - URI:http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment