Skip to content

Instantly share code, notes, and snippets.

@pcstout
Created November 21, 2019 16:07
Show Gist options
  • Save pcstout/dcb79524ce62a198cd5d8da5fca8ad88 to your computer and use it in GitHub Desktop.
Save pcstout/dcb79524ce62a198cd5d8da5fca8ad88 to your computer and use it in GitHub Desktop.
AWS EC2 Linux Script for Importing Certificates Into Your Trust Store
#
# A working version of: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html#UsingWithRDS.SSL-certificate-rotation-sample-script
#
mydir=/tmp/certs
mkdir ${mydir}
truststore=${mydir}/rds-truststore.jks
storepassword=changeit
curl -sS "https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem" > ${mydir}/rds-combined-ca-bundle.pem
csplit ${mydir}/rds-combined-ca-bundle.pem "/-----BEGIN CERTIFICATE-----/" '{*}' --prefix rds-ca- -z
for CERT in rds-ca-*; do
alias=$(openssl x509 -noout -text -in $CERT | perl -ne 'next unless /Subject:/; s/.*CN=//; print')
echo "Importing $alias"
keytool -import -file ${CERT} -alias "${alias}" -storepass ${storepassword} -keystore ${truststore} -noprompt
rm $CERT
done
rm ${mydir}/rds-combined-ca-bundle.pem
echo "Trust store content is: "
keytool -list -v -keystore "$truststore" -storepass ${storepassword} | grep Alias | cut -d " " -f3- | while read alias
do
expiry=`keytool -list -v -keystore "$truststore" -storepass ${storepassword} -alias "${alias}" | grep Valid | perl -ne 'if(/until: (.*?)\n/) { print "$1\n"; }'`
echo " Certificate ${alias} expires in '$expiry'"
done
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment