Update-java-ca-certificates - Small utility to convert the system trust store to a system Java KeyStore

update-java-ca-certificates

This small utility takes care of creating a system-wide trust store starting from your Linux CA trust store.

This command is supposed to be run after running update-ca-certificates (8), so that the Java Keystore is in sync with the system trust store.

The issue that this tool is trying to solve is already solved by Arch Linux's update-ca-trust (8). Sadly not all the Linux distributions have solved the issue (yet), thus this is a tool to help standardize the mess that's currently out there in terms of path standardization and ca-certificates location.

Usage

Usage: update-java-ca-certificates [--debug] [--force] [--certificate-bundle CERTIFICATE-BUNDLE] [--password PASSWORD] FILE

Positional arguments:
  FILE

Options:
  --debug, -D
  --force, -f
  --certificate-bundle CERTIFICATE-BUNDLE, -c CERTIFICATE-BUNDLE [default: /etc/ssl/certs/ca-certificates.crt]
  --password PASSWORD, -p PASSWORD [default: changeit]
  --help, -h             display this help and exit

Example

update-java-ca-certificates -c /etc/ssl/certs/ca-certificates.crt /etc/ssl/java/cacerts

Result

keytool -list -keystore /etc/ssl/java/cacerts -storepass changeit

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 137 entries

02ed0eb28c14da45165c566791700d6451d7fb56f0b2ab1d3b8eb070e56edff5, 6 Jan 2022, trustedCertEntry, 
Certificate fingerprint (SHA-256): 02:ED:0E:B2:8C:14:DA:45:16:5C:56:67:91:70:0D:64:51:D7:FB:56:F0:B2:AB:1D:3B:8E:B0:70:E5:6E:DF:F5
(...)

Building

Requirements

  • Golang (1.17+)
  • Make

Steps

make
./bin/update-java-ca-certificates -h

Paths

This tool assumes the directories are set up according to what update-ca-trust (8) uses.

/etc/ssl/certs

This directory should contain individual CA certificates trusted for TLS authentication usage. The format to be used is the BEGIN CERTIFICATE / END CERTIFICATE one.

If you are able to parse the certificate with:

openssl x509 -in /etc/ssl/certs/your-certificate.pem  -noout -text

then you're good.

/etc/ssl/ca-certificates.crt

This file contains a bundle that is updated by update-ca-trust / update-ca-certificates.

/etc/ssl/java/cacerts

This file contains the trust anchor for Java. Its format is the Java Key Store (JKS).

Owner
Swisscom
Swisscom
https://github.com/swisscom/update-java-ca-certificates
Similar Resources

Monitor your certificates and get notified before they expire.

Monitor your certificates and get notified before they expire.

Sifaka Sifaka is a tool to monitor your x509 certificates or simply websites certificates expirey date. If your organisation is handling some certs re

Apr 16, 2022

A rest application to update firewalld rules on a linux server

Firewalld-rest A REST application to dynamically update firewalld rules on a linux server. Firewalld is a firewall management tool for Linux operating

Jan 2, 2023

Super Java Vulnerability Scanner

Super Java Vulnerability Scanner

XiuScan 不完善,正在开发中 介绍 一个纯Golang编写基于命令行的Java框架漏洞扫描工具 致力于参考xray打造一款高效方便的漏扫神器 计划支持Fastjson、Shiro、Struts2、Spring、WebLogic等框架 PS: 取名为XiuScan因为带我入安全的大哥是修君 特点

Dec 30, 2021

A minimalistic LDAP server that is meant for test vulnerability to JNDI+LDAP injection attacks in Java, especially CVE-2021-44228.

jndi-ldap-test-server This is a minimalistic LDAP server that is meant for test vulnerability to JNDI+LDAP injection attacks in Java, especially CVE-2

Oct 3, 2022

Convert SSH Ed25519 keys to age keys. This is useful for usage in sops-nix and sops

ssh-to-age Convert SSH Ed25519 keys to age keys. This is useful for usage in sops-nix and sops Usage Exports the private key: $ ssh-to-age -private-ke

Dec 21, 2022

Shellcode implementation of Reflective DLL Injection by Golang. Convert DLLs to position independent shellcode

Shellcode implementation of Reflective DLL Injection by Golang. Convert DLLs to position independent shellcode

🐸 Frog For Automatic Scan 🐶 Doge For Defense Evasion&Offensive Security Doge-sRDI Shellcode implementation of Reflective DLL Injection by Golang. Co

Dec 8, 2022

Search and store the best cryptos for the best scalable and modern application development.

Invst Hunt Search and store the best cryptos for the best scalable and modern application development. Layout Creating... Project Challenge The Techni

Nov 12, 2021

Secretsmanager - Secrets management that allows you to store your secrets encrypted in git

I created secretsmanager to store some secrets within a repository. The secrets are encrypted at rest, with readable keys and editable JSON, so you can rename a key or delete it by hand. The cli tool handles the bare minumum of requirements.

May 6, 2022

A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability.

age age is a simple, modern and secure file encryption tool, format, and library. It features small explicit keys, no config options, and UNIX-style c

Dec 28, 2022
Comments
  • Update modules and go version

    Update modules and go version

    This fixes CVE-2022-29526 as reported by Trivy.

    I did this update for our internal fork, so I may just as well upstream it :)

    Thanks for this nifty little tool, btw! We are using this as init-containers with Kubernetes.

  • Corrupted cacerts created

    Corrupted cacerts created

    I ran the update script on the ubuntu ca-certificates.crt and got an error when trying to parse the final cacerts it created:-

    minijks_v1.0.0 inspect 

unexpected certificate type at position 16; found "X509", expected "X.509"
Related tags
Security java linux jks ca-certificates trust-store
SPIRE is a toolchain of APIs for establishing trust between software systems across a wide variety of hosting platforms
 SPIRE is a toolchain of APIs for establishing trust between software systems across a wide variety of hosting platforms

SPIRE (the SPIFFE Runtime Environment) is a toolchain of APIs for establishing trust between software systems across a wide variety of hosting platforms

Jan 2, 2023
A small server for verifing if a given java program is succeptibel to CVE-2021-44228

CVE-2021-44228-Test-Server A small server for verifing if a given java program is succeptibel to CVE-2021-44228 Usage Build the program using go build

Nov 9, 2022
Utility to safely fetch Java class files being served by LDAP servers. Includes deobfuscator for common Log4J URL obfuscation techniques

ldap-get Utility to safely fetch Java class files being served by LDAP servers,

Nov 9, 2022
QR secrets is a cryptographically secure mechanism to store secret data with the highest levels of security and store it on physical paper.
 QR secrets is a cryptographically secure mechanism to store secret data with the highest levels of security and store it on physical paper.

QR Secrets QR secrets is a cryptographically secure mechanism to store secret data with the highest levels of security. Incorporating; AES256-GCM-HKDF

Jan 12, 2022
Small utility package for stealing tokens from other processes and using them in current threads, or duplicating them and starting other processes

getsystem small utility for impersonating a user in the current thread or starting a new process with a duplicated token. must already be in a high in

Dec 24, 2022
An opinionated helper for generating tls certificates

Certificates helper This is an opinionated helper for generating tls certificates. It outputs only in PEM format but this enables you easily generate

Dec 17, 2022
Secure Boot certificates from the Framework Laptop

Framework Laptop UEFI Secure Boot Certificates Source: Extracted from a live machine (FRANBMCP08) Date: 2021-10-21 KEK (Key Exchange Key) This certifi

Dec 8, 2022
Generate self-signed, trusted certificates for local development.

Development Certificates Generator devcert takes away the pain of creating self-signed certificates for development manually. Usage $ devcert my-proje

Dec 13, 2022
A RSA signing server model, allows to create valid signed certificates that cant be modified
A RSA signing server model, allows to create valid signed certificates that cant be modified

Omega Description a RSA signing server model, allows to create valid signed certificates that cant be modified Requirements MySQL Server GoLang 1.17 I

Nov 15, 2021
Order TLS certificates using ACME TLS-ALPN-01

Order TLS certificates using ACME TLS-ALPN-01

Jan 4, 2023