Skip to content
🏺Create a PKCS12 TrustStore by retrieving server certificates.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
buildSrc
docs Doc fixes Jun 23, 2017
gradle Kotlin 1.1.3 upgrade Jun 23, 2017
src/main/kotlin/io/github/sureshg New project group id for OSSRH hosting. Oct 19, 2017
.gitignore
.travis.yml
CHANGELOG.md
README.md
build.gradle.kts New project group id for OSSRH hosting. Oct 19, 2017
gradle.properties
gradlew
gradlew.bat
settings.gradle

README.md

🏺 Install Certs version build api-doc

InstallCerts is a simple cli tool to create PKCS12 trustStore by retrieving server's TLS certificates. You can achieve the same using OpenSSL and java Keytool commands, but InstallCerts makes it fully automated using a single command.

Download

  • Binary

    Download (v1.1.2)

    After download, make sure to set the execute permission (chmod +x installcerts). Windows users can run the executable jar.

  • Source

     $ git clone https://github.com/sureshg/InstallCerts
     $ cd InstallCerts
     $ ./gradlew -q

    The binary would be located at build/libs/installcerts

    Inorder to build a new version, change appVersion in the gradle.properties or pass it to ./gradlew -PappVersion=1.1.2

  • Github Release

    In order to publish the binary to Github, generate Github Access token

     $ export GITHUB_TOKEN=<token>
     $ git clone https://github.com/sureshg/InstallCerts
     $ cd InstallCerts
     $ ./gradlew githubRelease -q

Usage

$ installcerts -h
NAME
        installcerts - Creates PKCS12 TrustStore by retrieving server
        certificates

SYNOPSIS
        installcerts [(-a | --all)] [(-d | --debug)] [(-h | --help)]
                [(-p <storePasswd> | --passwd <storePasswd>)]
                [(-t <timeout> | --timeout <timeout>)] [(-v | --verbose)]
                [(-V | --version)] [(-x | --no-jdk-cacerts)] [--] <host>[:port]

OPTIONS
        -a, --all
            Show all certs and exits

        -d, --debug
            Enable TLS debug tracing

        -h, --help
            Display help information

        -p <storePasswd>, --passwd <storePasswd>
            Trust store password. Default is 'changeit'

        -t <timeout>, --timeout <timeout>
            TLS connect and read timeout (ms). Default is 5000 millis

        -v, --verbose
            Verbose mode

        -V, --version
            Show version

        -x, --no-jdk-cacerts
            Don't include JDK CA certs in trust store

        --
            This option can be used to separate command-line options from the
            list of argument, (useful when arguments might be mistaken for
            command-line options

        <host>[:port]
            Server URL. Default port is 443

Examples

  • To list all TLS certificates (-a)

    $ installcerts google.com -a
    
      Loading default ca truststore...
      Opening connection to google.com:443...
      
      Starting SSL handshake...
      
      1) Subject - CN=*.google.com, O=Google Inc, L=Mountain View, ST=California, C=US
        Issuer : CN=Google Internet Authority G2, O=Google Inc, C=US
        SHA1   : 5A B6 93 22 33 B7 58 4F D2 BA 42 FE 94 53 65 79 19 E9 7B BC
        MD5    : 16 1F 54 D8 3A E9 33 78 DE 68 72 4C 80 5C 98 C4
        SAN    : *.google.com
                 *.android.com
                 *.appengine.google.com
                 *.cloud.google.com
                 *.gcp.gvt2.com
                 *.google-analytics.com
                 *.googleadapis.com
                 *.googleapis.cn
                 *.url.google.com
                 *.youtube-nocookie.com
                 *.youtube.com
                 *.youtubeeducation.com
                 *.ytimg.com
                 android.clients.google.com
                 android.com
                 developer.android.google.cn
                 developers.android.google.cn
                 g.co
                 goo.gl
                 google-analytics.com
                 google.com
                 googlecommerce.com
                 source.android.google.cn
                 urchin.com
                 www.goo.gl
                 youtu.be
                 youtube.com
                 youtubeeducation.com
        Expiry : Fri Jul 14 01:25:00 PDT 2017
      
      2) Subject - CN=Google Internet Authority G2, O=Google Inc, C=US
        Issuer : CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
        SHA1   : D6 AD 07 C6 67 56 30 F5 7B 92 7F 66 BE 8C E1 F7 68 F8 79 48
        MD5    : C5 6F 1A 63 B8 17 B7 31 89 34 C0 6E C5 AB B5 B3
        SAN    :
        Expiry : Sun Dec 31 15:59:59 PST 2017
      
      3) Subject - CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
        Issuer : OU=Equifax Secure Certificate Authority, O=Equifax, C=US
        SHA1   : 73 59 75 5C 6D F9 A0 AB C3 06 0B CE 36 95 64 C8 EC 45 42 A3
        MD5    : 2E 7D B2 A3 1D 0E 3D A4 B2 5F 49 B9 54 2A 2E 1A
        SAN    :
        Expiry : Mon Aug 20 21:00:00 PDT 2018
      
      SSL-Session:
        Protocol    : TLSv1.2
        CipherSuite : TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        Session-ID  : 68 3E AD 92 27 59 F6 C2 C5 BF 10 58 04 BF AC 6C 06 DF E9 74 05 A5 39 D2 0E 1F 97 4B 4F 03 81 64
        Timeout     : 86400
        Create Time : Mon Apr 24 11:10:04 PDT 2017
        Access Time : Mon Apr 24 11:10:04 PDT 2017
        Values      :
    
  • To create PKCS12 file

        $ installcerts https://self-signed.badssl.com
    
          Loading default ca truststore...
          Opening connection to self-signed.badssl.com:443...
          
          Starting SSL handshake...
          Server sent 1 certificate(s)...
          
          1) Adding certificate to keystore using alias self-signed.badssl.com-1...
          Subject - CN=*.badssl.com, O=BadSSL, L=San Francisco, ST=California, C=US
            Issuer : CN=*.badssl.com, O=BadSSL, L=San Francisco, ST=California, C=US
            SHA1   : 64 14 50 D9 4A 65 FA EB 3B 63 10 28 D8 E8 6C 95 43 1D B8 11
            MD5    : 46 10 F4 1F 93 A3 EE 58 E0 CC 69 BE 1C 71 E0 C0
            SAN    : *.badssl.com
                     badssl.com
            Expiry : Wed Aug 08 14:17:05 PDT 2018
          
          Starting SSL handshake...
          Certificate is trusted. Saving the trustore...
          
          🍺  PKCS12 truststore saved to /Users/suresh/installcerts/self-signed_badssl_com.p12  
      
          To lists entries in the keystore, run
          keytool -list -keystore self-signed_badssl_com.p12 --storetype pkcs12
  • Debug TLS Session (-d)

        $ installcerts https://rsa2048.badssl.com/ -a -d
    
          ➤ Enabling TLS debug tracing...
          Loading default ca truststore...
          Opening connection to rsa2048.badssl.com:443...
          adding as trusted cert:
            Subject: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US
            Issuer:  CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US
            Algorithm: RSA; Serial number: 0xc3517
            Valid from Sun Jun 20 21:00:00 PDT 1999 until Sun Jun 21 21:00:00 PDT 2020
          ...
          Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA,...
          Extension server_name, server_name: [type=host_name (0), value=rsa2048.badssl.com]
          ***
          [write] MD5 and SHA1 hashes:  len = 194
          0000: 01 00 00 BE 03 03 58 FE   41 39 72 B5 AA 3D F4 04  ......X.A9r..=..
          0010: 9E 4B E2 C4 C3 D0 44 2E   6C A7 19 67 58 01 AC D0  .K....D.l..gX...
          0020: 40 C3 D8 6A B7 AD 00 00   3A C0 23 C0 27 00 3C C0  @..j....:.#.'.<.
          0030: 25 C0 29 00 67 00 40 C0   09 C0 13 00 2F C0 04 C0  %.).g.@...../...
          0040: 0E 00 33 00 32 C0 2B C0   2F 00 9C C0 2D C0 31 00  ..3.2.+./...-.1.
          ...
          
          main, SEND TLSv1.2 ALERT:  warning, description = close_notify
          Padded plaintext before ENCRYPTION:  len = 2
          0000: 01 00                                              ..
          main, WRITE: TLSv1.2 Alert, length = 26
          [Raw write]: length = 31
          0000: 15 03 03 00 1A 00 00 00   00 00 00 00 01 18 B9 59  ...............Y
          0010: 96 9B 04 93 CB 8A 4C EC   D8 B1 9B 0C 43 76 E3     ......L.....Cv.
          main, called closeSocket(true)
          ...
  • Some useful Keytool commands

    # List all certificates from the pkcs12 truststore.
    $ keytool -list -keystore self-signed_badssl_com.p12 --storetype pkcs12
      Enter keystore password: changeit
    
    # Extract certificate from pkcs12 truststore.
    $ keytool -exportcert -alias [host]-1 -keystore self-signed_badssl_com.p12 -storepass changeit -file [host].cer
    
    # Import certificate into system keystore
    $ keytool -importcert -alias [host] -keystore [path to system keystore] -storepass changeit -file [host].cer

Credits


**Require Java 8 or later

You can’t perform that action at this time.