From b9ac97051f047abd227a4b529dd8ba56eb64fe11 Mon Sep 17 00:00:00 2001
From: Jan Andre Ikenmeyer <jan@ikenmeyer.eu>
Date: Sat, 24 Nov 2018 17:42:51 +0100
Subject: [PATCH] Alternative CA database generator

---
 etc/cert_generator.sh | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100755 etc/cert_generator.sh

diff --git a/etc/cert_generator.sh b/etc/cert_generator.sh
new file mode 100755
index 000000000000..7fda11c1478c
--- /dev/null
+++ b/etc/cert_generator.sh
@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+# https://wiki.mozilla.org/CA/Included_Certificates
+# 1. Mozilla's official CA database CSV file is downloaded with curl
+#    and processed with awk.
+# 2. Rows end with `"\n`.
+# 3. Each row is split by ^" and "," into columns.
+# 4. Single and double quotes are removed from column 30.
+# 5. If column 13 (12 in the csv file) contains `Websites`
+#    (some are Email-only), column 30 is printed, the raw certificate.
+# 6. All CA certs trusted for Websites are stored into the `certs` file.
+
+domain="ccadb-public.secure.force.com";
+curl "https://${domain}/mozilla/IncludedCACertificateReportPEMCSV" -sSf | \
+gawk -v RS="\"\n" -F'","|^"' \
+'{gsub("\047","",$(30));gsub("\"","",$(30));if($(13)~/Websites/)print $(30)}' \
+> certs
+