Skip to content

Instantly share code, notes, and snippets.

@shareefhiasat
Forked from steini/import-rds-certs.sh
Last active March 6, 2023 19:21
  • Star 18 You must be signed in to star a gist
  • Fork 12 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save shareefhiasat/dabe5e96dbd7123c7b101aac1c0eca8a to your computer and use it in GitHub Desktop.
import RDS certificates to java keystore on alpine / osx
#!/usr/bin/env sh
#i tried it and working like charm just have to note make the file .sh chmod +x and you may need sudo to run with permission but be carefull with sudo
#be sure the $JAVA_HOME is configure correctly or make it static as commentedline 7 below
OLDDIR="$PWD"
if [ -z "$CACERTS_FILE" ]; then
# you should have java home configure to point for example /usr/lib/jvm/default-java/jre/lib/security/cacerts
CACERTS_FILE=$JAVA_HOME/jre/lib/security/cacerts
fi
mkdir /tmp/rds-ca && cd /tmp/rds-ca
echo "Downloading RDS certificates..."
curl https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem > rds-combined-ca-bundle.pem
csplit -sk rds-combined-ca-bundle.pem "/-BEGIN CERTIFICATE-/" "{$(grep -c 'BEGIN CERTIFICATE' rds-combined-ca-bundle.pem | awk '{print $1 - 2}')}"
for CERT in xx*; do
# extract a human-readable alias from the cert
ALIAS=$(openssl x509 -noout -text -in $CERT |
perl -ne 'next unless /Subject:/; s/.*CN=//; print')
echo "importing $ALIAS"
# import the cert into the default java keystore
keytool -import \
-keystore $CACERTS_FILE \
-storepass changeit -noprompt \
-alias "$ALIAS" -file $CERT
done
cd "$OLDDIR"
rm -r /tmp/rds-ca
@reflog
Copy link

reflog commented Jan 2, 2018

Thanks, this was crazy helpful! Couldn't figure out why my code couldn't connect to RDS and your approach fixed it!

@JasonLunn
Copy link

๐Ÿ‘

@privatejava
Copy link

privatejava commented Oct 24, 2018

you are awesome !! ๐Ÿ‘ ๐Ÿ‘ ๐Ÿ‘
Made my day ๐Ÿป

Copy link

ghost commented Dec 19, 2018

Just a heads up, in case anyone else runs into this, the process is slightly different for OpenJDK11, at least on the OpenJDK11 docker image:

https://gist.github.com/putneyj/1f666d9a01505fed678a672d0635713f

@sd65
Copy link

sd65 commented Mar 21, 2019

Thanks for this! I simplified the code using this csplit pattern option :
{*} repeat the previous pattern as many times as possible

So this line become :
csplit -sk rds-combined-ca-bundle.pem "/-BEGIN CERTIFICATE-/" "{*}"
I find it more readable.

@swapnilgangrade01
Copy link

Hello,
I am using openjdk:8-jdk-alpine alpine image for build. How to install csplit in it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment