Automatically reload / renew java cacerts in keystore

Posted on by

In our current project we have a Nexus server as artifactory repository manager. Setup is not entirely finished and one drawback is that the certificate is only valid for 3 days.

The following script downloads the certificate and uses keytool to import the certificate only when it’s a new one (using the same alias)

#!/bin/bash
true | openssl s_client -connect nexus.mycompany.com:443 2>/dev/null | openssl x509 > ~/Downloads/nexus-crt.crt
DIFF=$(diff ~/Downloads/nexus-crt.crt ~/Downloads/nexus.mycompany.com.crt)
if [ "$DIFF" ]
then
   echo "Reloading Nexus certificate"
   cp ~/Downloads/nexus-crt.crt ~/Downloads/nexus.mycompany.com.crt
   cd ~/.sdkman/candidates/java/current/bin
   ./keytool -delete -alias nexus-crt -cacerts -storepass changeit
   ./keytool -importcert -noprompt -trustcacerts -cacerts -alias "nexus-crt" -file ~/Downloads/nexus.mycompany.com.crt -storepass changeit
   cd -
fi

If you want to display the certificates enddate:

echo "cert enddate: cat ~/Downloads/nexus-crt.crt | openssl x509 -noout -dates | tail -1 | sed 's/[^ ]*=//' "

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.