InstallCerts is a simple cli tool to create PKCS12 trustStore by retrieving server's TLS certificates.
You can achieve the same using OpenSSL and java Keytool commands, but InstallCerts makes it fully automated using a single command.
-
Binary
After download, make sure to set the execute permission (
chmod +x installcerts). Windows users can run the executable jar. -
Source
$ git clone https://github.com/sureshg/InstallCerts $ cd InstallCerts $ ./gradlew -q
The binary would be located at
build/libs/installcertsInorder to build a new version, change
appVersionin the gradle.properties or pass it to./gradlew -PappVersion=1.1.2 -
Github Release
In order to publish the binary to Github, generate Github Access token
$ export GITHUB_TOKEN=<token> $ git clone https://github.com/sureshg/InstallCerts $ cd InstallCerts $ ./gradlew githubRelease -q
$ installcerts -h
NAME
installcerts - Creates PKCS12 TrustStore by retrieving server
certificates
SYNOPSIS
installcerts [(-a | --all)] [(-d | --debug)] [(-h | --help)]
[(-p <storePasswd> | --passwd <storePasswd>)]
[(-t <timeout> | --timeout <timeout>)] [(-v | --verbose)]
[(-V | --version)] [(-x | --no-jdk-cacerts)] [--] <host>[:port]
OPTIONS
-a, --all
Show all certs and exits
-d, --debug
Enable TLS debug tracing
-h, --help
Display help information
-p <storePasswd>, --passwd <storePasswd>
Trust store password. Default is 'changeit'
-t <timeout>, --timeout <timeout>
TLS connect and read timeout (ms). Default is 5000 millis
-v, --verbose
Verbose mode
-V, --version
Show version
-x, --no-jdk-cacerts
Don't include JDK CA certs in trust store
--
This option can be used to separate command-line options from the
list of argument, (useful when arguments might be mistaken for
command-line options
<host>[:port]
Server URL. Default port is 443-
To list all TLS certificates (
-a)$ installcerts google.com -a Loading default ca truststore... Opening connection to google.com:443... Starting SSL handshake... 1) Subject - CN=*.google.com, O=Google Inc, L=Mountain View, ST=California, C=US Issuer : CN=Google Internet Authority G2, O=Google Inc, C=US SHA1 : 5A B6 93 22 33 B7 58 4F D2 BA 42 FE 94 53 65 79 19 E9 7B BC MD5 : 16 1F 54 D8 3A E9 33 78 DE 68 72 4C 80 5C 98 C4 SAN : *.google.com *.android.com *.appengine.google.com *.cloud.google.com *.gcp.gvt2.com *.google-analytics.com *.googleadapis.com *.googleapis.cn *.url.google.com *.youtube-nocookie.com *.youtube.com *.youtubeeducation.com *.ytimg.com android.clients.google.com android.com developer.android.google.cn developers.android.google.cn g.co goo.gl google-analytics.com google.com googlecommerce.com source.android.google.cn urchin.com www.goo.gl youtu.be youtube.com youtubeeducation.com Expiry : Fri Jul 14 01:25:00 PDT 2017 2) Subject - CN=Google Internet Authority G2, O=Google Inc, C=US Issuer : CN=GeoTrust Global CA, O=GeoTrust Inc., C=US SHA1 : D6 AD 07 C6 67 56 30 F5 7B 92 7F 66 BE 8C E1 F7 68 F8 79 48 MD5 : C5 6F 1A 63 B8 17 B7 31 89 34 C0 6E C5 AB B5 B3 SAN : Expiry : Sun Dec 31 15:59:59 PST 2017 3) Subject - CN=GeoTrust Global CA, O=GeoTrust Inc., C=US Issuer : OU=Equifax Secure Certificate Authority, O=Equifax, C=US SHA1 : 73 59 75 5C 6D F9 A0 AB C3 06 0B CE 36 95 64 C8 EC 45 42 A3 MD5 : 2E 7D B2 A3 1D 0E 3D A4 B2 5F 49 B9 54 2A 2E 1A SAN : Expiry : Mon Aug 20 21:00:00 PDT 2018 SSL-Session: Protocol : TLSv1.2 CipherSuite : TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 Session-ID : 68 3E AD 92 27 59 F6 C2 C5 BF 10 58 04 BF AC 6C 06 DF E9 74 05 A5 39 D2 0E 1F 97 4B 4F 03 81 64 Timeout : 86400 Create Time : Mon Apr 24 11:10:04 PDT 2017 Access Time : Mon Apr 24 11:10:04 PDT 2017 Values :
-
To create PKCS12 file
$ installcerts https://self-signed.badssl.com Loading default ca truststore... Opening connection to self-signed.badssl.com:443... Starting SSL handshake... Server sent 1 certificate(s)... 1) Adding certificate to keystore using alias self-signed.badssl.com-1... Subject - CN=*.badssl.com, O=BadSSL, L=San Francisco, ST=California, C=US Issuer : CN=*.badssl.com, O=BadSSL, L=San Francisco, ST=California, C=US SHA1 : 64 14 50 D9 4A 65 FA EB 3B 63 10 28 D8 E8 6C 95 43 1D B8 11 MD5 : 46 10 F4 1F 93 A3 EE 58 E0 CC 69 BE 1C 71 E0 C0 SAN : *.badssl.com badssl.com Expiry : Wed Aug 08 14:17:05 PDT 2018 Starting SSL handshake... Certificate is trusted. Saving the trustore... 🍺 PKCS12 truststore saved to /Users/suresh/installcerts/self-signed_badssl_com.p12 To lists entries in the keystore, run keytool -list -keystore self-signed_badssl_com.p12 --storetype pkcs12
-
Debug TLS Session (
-d)$ installcerts https://rsa2048.badssl.com/ -a -d ➤ Enabling TLS debug tracing... Loading default ca truststore... Opening connection to rsa2048.badssl.com:443... adding as trusted cert: Subject: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US Issuer: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US Algorithm: RSA; Serial number: 0xc3517 Valid from Sun Jun 20 21:00:00 PDT 1999 until Sun Jun 21 21:00:00 PDT 2020 ... Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA,... Extension server_name, server_name: [type=host_name (0), value=rsa2048.badssl.com] *** [write] MD5 and SHA1 hashes: len = 194 0000: 01 00 00 BE 03 03 58 FE 41 39 72 B5 AA 3D F4 04 ......X.A9r..=.. 0010: 9E 4B E2 C4 C3 D0 44 2E 6C A7 19 67 58 01 AC D0 .K....D.l..gX... 0020: 40 C3 D8 6A B7 AD 00 00 3A C0 23 C0 27 00 3C C0 @..j....:.#.'.<. 0030: 25 C0 29 00 67 00 40 C0 09 C0 13 00 2F C0 04 C0 %.).g.@...../... 0040: 0E 00 33 00 32 C0 2B C0 2F 00 9C C0 2D C0 31 00 ..3.2.+./...-.1. ... main, SEND TLSv1.2 ALERT: warning, description = close_notify Padded plaintext before ENCRYPTION: len = 2 0000: 01 00 .. main, WRITE: TLSv1.2 Alert, length = 26 [Raw write]: length = 31 0000: 15 03 03 00 1A 00 00 00 00 00 00 00 01 18 B9 59 ...............Y 0010: 96 9B 04 93 CB 8A 4C EC D8 B1 9B 0C 43 76 E3 ......L.....Cv. main, called closeSocket(true) ...
-
Some useful Keytool commands
# List all certificates from the pkcs12 truststore. $ keytool -list -keystore self-signed_badssl_com.p12 --storetype pkcs12 Enter keystore password: changeit # Extract certificate from pkcs12 truststore. $ keytool -exportcert -alias [host]-1 -keystore self-signed_badssl_com.p12 -storepass changeit -file [host].cer # Import certificate into system keystore $ keytool -importcert -alias [host] -keystore [path to system keystore] -storepass changeit -file [host].cer
- Got the original idea from this oracle blog post.
**Require Java 8 or later