Compare Java Certificate Stores – cacerts

Problem

You want to compare two cacerts java certificate stores.

Say comparing development server against prod, to ensure they both have same certs stored in cacerts (sampled by java among others).



Solution

This can come in very handy, if you need to compare 2 different projects or envs. See the example.



Example


Code to generate list of certs, along with there alias, entry, owner and valid dates.

Start in the directory where your cacerts file resides.


../../../bin/keytool -list -v -keystore cacerts -storepass changeit | gawk ' {
if(/Alias name/) {
if(alias != /^$/) { printf("%s: [%s] %s [from: %s]n",alias,entry,owner,valid); }
alias=$NF;
}
if(/Entry type/) { entry=$NF; }
if(/Owner/) { owner=$2" "$3; }
if(/Valid/) { valid=$5"/"$4"/"$8; }
} END { printf("%s: [%s] %s [from: %s]n",alias,entry,owner,valid); }
' | sort

You may need to change gawk for nawk on Solaris, etc.

Dump this out into a file for each env. The run diff with something like this:


diff -s dump.cob dump.dev | egrep -v -- "^([0-9]|--)" | sort | grep -vn xxx



Reference

[tags]openssl, cacerts, java certifications, comparing java certs, Unix Coding School[/tags]



Leave a Reply

Your email address will not be published. Required fields are marked *