{"id":18322449,"url":"https://github.com/sureshg/installcerts","last_synced_at":"2025-04-05T23:31:01.070Z","repository":{"id":73497624,"uuid":"87804315","full_name":"sureshg/InstallCerts","owner":"sureshg","description":"🏺Create a PKCS12 TrustStore by retrieving server certificates.","archived":false,"fork":false,"pushed_at":"2017-10-19T09:35:22.000Z","size":316,"stargazers_count":15,"open_issues_count":0,"forks_count":6,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-03-21T13:23:20.048Z","etag":null,"topics":["certificate","crypto","java","jks","jvm","keystore","keytool","kotlin","pkcs12","tls-certificate","truststore"],"latest_commit_sha":null,"homepage":"https://sureshg.github.io/InstallCerts/","language":"Kotlin","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sureshg.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2017-04-10T11:43:28.000Z","updated_at":"2023-02-10T19:41:02.000Z","dependencies_parsed_at":null,"dependency_job_id":"f38e5aaa-1b28-45fd-a2ea-152485f88d3c","html_url":"https://github.com/sureshg/InstallCerts","commit_stats":null,"previous_names":[],"tags_count":11,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sureshg%2FInstallCerts","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sureshg%2FInstallCerts/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sureshg%2FInstallCerts/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sureshg%2FInstallCerts/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sureshg","download_url":"https://codeload.github.com/sureshg/InstallCerts/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247415783,"owners_count":20935383,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["certificate","crypto","java","jks","jvm","keystore","keytool","kotlin","pkcs12","tls-certificate","truststore"],"created_at":"2024-11-05T18:24:40.517Z","updated_at":"2025-04-05T23:30:59.478Z","avatar_url":"https://github.com/sureshg.png","language":"Kotlin","funding_links":[],"categories":[],"sub_categories":[],"readme":"# 🏺 Install Certs [![version][version-svg]][download] [![build][travis-svg]][travis-url] [![api-doc][doc-svg]][apidoc-url]\n\n`InstallCerts` is a simple cli tool to create [PKCS12][pkcs-wiki] trustStore by retrieving server's TLS certificates.\nYou can achieve the same using [OpenSSL][openssl-wiki] and java [Keytool][keytool-doc] commands, but `InstallCerts` makes it fully automated using a single command.\n\n### Download\n\n* Binary\n\n [Download (v1.1.2)][download]\n\n \u003e After download, make sure to set the execute permission (`chmod +x installcerts`). Windows users can run the executable jar.\n\n* Source\n\n ```ruby\n $ git clone https://github.com/sureshg/InstallCerts\n $ cd InstallCerts\n $ ./gradlew -q\n ```\n \u003e The binary would be located at `build/libs/installcerts`\n \n Inorder to build a new version, change `appVersion` in the [gradle.properties](gradle.properties) or pass it to `./gradlew -PappVersion=1.1.2`\n\n* Github Release\n\n \u003e In order to publish the binary to Github, generate [Github Access token][github-token] \n \n ```ruby\n $ export GITHUB_TOKEN=\u003ctoken\u003e\n $ git clone https://github.com/sureshg/InstallCerts\n $ cd InstallCerts\n $ ./gradlew githubRelease -q\n ```\n \n### Usage \n\n```ruby\n$ installcerts -h\nNAME\n installcerts - Creates PKCS12 TrustStore by retrieving server\n certificates\n\nSYNOPSIS\n installcerts [(-a | --all)] [(-d | --debug)] [(-h | --help)]\n [(-p \u003cstorePasswd\u003e | --passwd \u003cstorePasswd\u003e)]\n [(-t \u003ctimeout\u003e | --timeout \u003ctimeout\u003e)] [(-v | --verbose)]\n [(-V | --version)] [(-x | --no-jdk-cacerts)] [--] \u003chost\u003e[:port]\n\nOPTIONS\n -a, --all\n Show all certs and exits\n\n -d, --debug\n Enable TLS debug tracing\n\n -h, --help\n Display help information\n\n -p \u003cstorePasswd\u003e, --passwd \u003cstorePasswd\u003e\n Trust store password. Default is 'changeit'\n\n -t \u003ctimeout\u003e, --timeout \u003ctimeout\u003e\n TLS connect and read timeout (ms). Default is 5000 millis\n\n -v, --verbose\n Verbose mode\n\n -V, --version\n Show version\n\n -x, --no-jdk-cacerts\n Don't include JDK CA certs in trust store\n\n --\n This option can be used to separate command-line options from the\n list of argument, (useful when arguments might be mistaken for\n command-line options\n\n \u003chost\u003e[:port]\n Server URL. Default port is 443\n```\n\n### Examples\n\n * To list all TLS certificates (`-a`)\n \n ```ruby\n $ installcerts google.com -a\n\n Loading default ca truststore...\n Opening connection to google.com:443...\n \n Starting SSL handshake...\n \n 1) Subject - CN=*.google.com, O=Google Inc, L=Mountain View, ST=California, C=US\n Issuer : CN=Google Internet Authority G2, O=Google Inc, C=US\n SHA1 : 5A B6 93 22 33 B7 58 4F D2 BA 42 FE 94 53 65 79 19 E9 7B BC\n MD5 : 16 1F 54 D8 3A E9 33 78 DE 68 72 4C 80 5C 98 C4\n SAN : *.google.com\n *.android.com\n *.appengine.google.com\n *.cloud.google.com\n *.gcp.gvt2.com\n *.google-analytics.com\n *.googleadapis.com\n *.googleapis.cn\n *.url.google.com\n *.youtube-nocookie.com\n *.youtube.com\n *.youtubeeducation.com\n *.ytimg.com\n android.clients.google.com\n android.com\n developer.android.google.cn\n developers.android.google.cn\n g.co\n goo.gl\n google-analytics.com\n google.com\n googlecommerce.com\n source.android.google.cn\n urchin.com\n www.goo.gl\n youtu.be\n youtube.com\n youtubeeducation.com\n Expiry : Fri Jul 14 01:25:00 PDT 2017\n \n 2) Subject - CN=Google Internet Authority G2, O=Google Inc, C=US\n Issuer : CN=GeoTrust Global CA, O=GeoTrust Inc., C=US\n SHA1 : D6 AD 07 C6 67 56 30 F5 7B 92 7F 66 BE 8C E1 F7 68 F8 79 48\n MD5 : C5 6F 1A 63 B8 17 B7 31 89 34 C0 6E C5 AB B5 B3\n SAN :\n Expiry : Sun Dec 31 15:59:59 PST 2017\n \n 3) Subject - CN=GeoTrust Global CA, O=GeoTrust Inc., C=US\n Issuer : OU=Equifax Secure Certificate Authority, O=Equifax, C=US\n SHA1 : 73 59 75 5C 6D F9 A0 AB C3 06 0B CE 36 95 64 C8 EC 45 42 A3\n MD5 : 2E 7D B2 A3 1D 0E 3D A4 B2 5F 49 B9 54 2A 2E 1A\n SAN :\n Expiry : Mon Aug 20 21:00:00 PDT 2018\n \n SSL-Session:\n Protocol : TLSv1.2\n CipherSuite : TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\n Session-ID : 68 3E AD 92 27 59 F6 C2 C5 BF 10 58 04 BF AC 6C 06 DF E9 74 05 A5 39 D2 0E 1F 97 4B 4F 03 81 64\n Timeout : 86400\n Create Time : Mon Apr 24 11:10:04 PDT 2017\n Access Time : Mon Apr 24 11:10:04 PDT 2017\n Values :\n\n ```\n \n * To create PKCS12 file\n \n ```ruby\n $ installcerts https://self-signed.badssl.com\n \n Loading default ca truststore...\n Opening connection to self-signed.badssl.com:443...\n \n Starting SSL handshake...\n Server sent 1 certificate(s)...\n \n 1) Adding certificate to keystore using alias self-signed.badssl.com-1...\n Subject - CN=*.badssl.com, O=BadSSL, L=San Francisco, ST=California, C=US\n Issuer : CN=*.badssl.com, O=BadSSL, L=San Francisco, ST=California, C=US\n SHA1 : 64 14 50 D9 4A 65 FA EB 3B 63 10 28 D8 E8 6C 95 43 1D B8 11\n MD5 : 46 10 F4 1F 93 A3 EE 58 E0 CC 69 BE 1C 71 E0 C0\n SAN : *.badssl.com\n badssl.com\n Expiry : Wed Aug 08 14:17:05 PDT 2018\n \n Starting SSL handshake...\n Certificate is trusted. Saving the trustore...\n \n 🍺 PKCS12 truststore saved to /Users/suresh/installcerts/self-signed_badssl_com.p12 \n \n To lists entries in the keystore, run\n keytool -list -keystore self-signed_badssl_com.p12 --storetype pkcs12\n ```\n \n * Debug TLS Session (`-d`) \n\n ```ruby\n $ installcerts https://rsa2048.badssl.com/ -a -d\n \n ➤ Enabling TLS debug tracing...\n Loading default ca truststore...\n Opening connection to rsa2048.badssl.com:443...\n adding as trusted cert:\n Subject: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US\n Issuer: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US\n Algorithm: RSA; Serial number: 0xc3517\n Valid from Sun Jun 20 21:00:00 PDT 1999 until Sun Jun 21 21:00:00 PDT 2020\n ...\n Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA,...\n Extension server_name, server_name: [type=host_name (0), value=rsa2048.badssl.com]\n ***\n [write] MD5 and SHA1 hashes: len = 194\n 0000: 01 00 00 BE 03 03 58 FE 41 39 72 B5 AA 3D F4 04 ......X.A9r..=..\n 0010: 9E 4B E2 C4 C3 D0 44 2E 6C A7 19 67 58 01 AC D0 .K....D.l..gX...\n 0020: 40 C3 D8 6A B7 AD 00 00 3A C0 23 C0 27 00 3C C0 @..j....:.#.'.\u003c.\n 0030: 25 C0 29 00 67 00 40 C0 09 C0 13 00 2F C0 04 C0 %.).g.@...../...\n 0040: 0E 00 33 00 32 C0 2B C0 2F 00 9C C0 2D C0 31 00 ..3.2.+./...-.1.\n ...\n \n main, SEND TLSv1.2 ALERT: warning, description = close_notify\n Padded plaintext before ENCRYPTION: len = 2\n 0000: 01 00 ..\n main, WRITE: TLSv1.2 Alert, length = 26\n [Raw write]: length = 31\n 0000: 15 03 03 00 1A 00 00 00 00 00 00 00 01 18 B9 59 ...............Y\n 0010: 96 9B 04 93 CB 8A 4C EC D8 B1 9B 0C 43 76 E3 ......L.....Cv.\n main, called closeSocket(true)\n ...\n ``` \n \n * Some useful Keytool commands\n \n ```ruby\n # List all certificates from the pkcs12 truststore.\n $ keytool -list -keystore self-signed_badssl_com.p12 --storetype pkcs12\n Enter keystore password: changeit\n \n # Extract certificate from pkcs12 truststore.\n $ keytool -exportcert -alias [host]-1 -keystore self-signed_badssl_com.p12 -storepass changeit -file [host].cer\n\n # Import certificate into system keystore\n $ keytool -importcert -alias [host] -keystore [path to system keystore] -storepass changeit -file [host].cer\n ```\n \n \n## Credits\n\n - Got the original idea from this [oracle blog][installcert-blog] post.\n \n----------\n\u003csup\u003e**\u003c/sup\u003eRequire [Java 8 or later][java-download]\n\n[version-svg]: https://img.shields.io/badge/installcerts-1.1.2-green.svg?style=flat-square\n[doc-svg]: https://img.shields.io/badge/apidoc-1.1.2-ff69b4.svg?style=flat-square\n[apidoc-url]: https://sureshg.github.io/InstallCerts/\n[download]: https://github.com/sureshg/InstallCerts/releases/download/1.1.2/installcerts\n[java-download]: http://www.oracle.com/technetwork/java/javase/downloads/index.html\n[github-token]: https://github.com/settings/tokens\n[installcert-blog]: https://blogs.oracle.com/gc/entry/unable_to_find_valid_certification\n[pkcs-wiki]: https://en.wikipedia.org/wiki/PKCS_12\n[keytool-doc]: https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html\n[openssl-wiki]: https://en.wikipedia.org/wiki/OpenSSL\n\n[travis-url]: https://travis-ci.org/sureshg/InstallCerts/builds\n[travis-svg]: https://img.shields.io/travis/sureshg/InstallCerts.svg?style=flat-square\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsureshg%2Finstallcerts","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsureshg%2Finstallcerts","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsureshg%2Finstallcerts/lists"}