Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Downloads and installs the startssl CA certs into the global Java keystore
#!/bin/bash
# Downloads and installs the startssl CA certs into the global Java keystore
# https://sipb.mit.edu/doc/safe-shell/
set -euf -o pipefail
# Check if JAVA_HOME is set
if [ "$JAVA_HOME" = "" ]
then
echo "ERROR: JAVA_HOME must be set."
exit 1
fi
# Check if cacerts file is present
if [ ! -f $JAVA_HOME/jre/lib/security/cacerts ]
then
echo "ERROR: \$JAVA_HOME/jre/lib/security/cacerts not found. JAVA_HOME set correctly?"
exit 1
fi
##########################################
## just change here the alias and url
##########################################
declare -A certificates=(
["startcom.ca"]="http://www.startssl.com/certs/ca.crt"
["startcom.ca-g2"]="https://www.startssl.com/certs/ca-g2.crt"
["startcom.ca-sha2"]="https://www.startssl.com/certs/ca-sha2.crt"
)
#
# this function install one certificat
# usage : installCertificate certificateAlias certificateUrl
#
function installCertificate() {
local certificateAlias=$1
local certificateUrl=$2
echo "Processing $alias - ${certificates["$alias"]} ...";
echo "Downloading certs $certificateAlias : $certificateUrl ..."
wget --quiet --continue "$certificateUrl" -O $certificateAlias.crt
echo "Deleting cert from cacerts keystore (sudo password required)..."
sudo keytool -delete -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -noprompt -alias $certificateAlias
echo "Adding cert to cacerts keystore (sudo password required)..."
sudo keytool -import -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -noprompt -alias $certificateUrl -file $certificateAlias.crt
if [ -f $JAVA_HOME/jre/lib/security/jssecacerts ]
then
echo "Deleting cert from jssecacerts keystore (sudo password required)..."
sudo keytool -delete -keystore $JAVA_HOME/jre/lib/security/jssecacerts -storepass changeit -noprompt -alias $certificateAlias
echo "Adding cert to jssecacerts keystore (sudo password required)..."
sudo keytool -import -trustcacerts -keystore $JAVA_HOME/jre/lib/security/jssecacerts -storepass changeit -noprompt -alias $certificateUrl -file $certificateAlias.crt
fi
rm -f $certificateAlias.crt
}
# loop throw certificates map and call installCertificate
for alias in "${!certificates[@]}"; do
installCertificate $alias ${certificates["$alias"]};
done
@elyscape

This comment has been minimized.

Copy link

elyscape commented Aug 9, 2016

It would be nice if there were a way to check if the certificate had changed before replacing it in the keystore.

@codingtony

This comment has been minimized.

Copy link

codingtony commented Aug 29, 2016

If the certificate does not already exist, the keytool -delete fails

@elyscape

This comment has been minimized.

Copy link

elyscape commented Sep 1, 2016

@codingtony Right, but if the script has been run already then it'll remove the cert from the keystore and then add it back. It would be nice to only remove it if the cert had actually changed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.