With a Browser
The following generated a certificate that I was able to import using keytool:
- Level: sb1.geolearning.com
- File Type: DER-encoded binary, single certificate
For posterity, here was the command used to import:
sudo keytool -import -keystore /opt/jrun4/jre/lib/security/cacerts -alias "sb1.geolearning.com (Thawte SSL CA)" -storepass changeit -noprompt -trustcacerts -file ~/Downloads/sb1.geolearning.com
Without a Browser
Here's what I'm doing these days (in a Vagrant provisioner). In this script, the keystore is hard-coded, because I'm only using it for Lucee, at the moment; however, the path the the keystore could easily be parameterized. Also, the runfile
related code is just so Vagrant doesn't run the script more than once; those lines are superfluous if you're not using the code as a Vagrant provisioner.
The only thing that really differentiates this from the above solution is that this gets the cert via openssl s_client
(and cleans it up with sed
) instead doing so manually, via a browser.
#!/usr/bin/env bash
set -e
description="Add cert to Lucee's keystore."
while :
do
case $1 in
--provisioned-dir=*)
provisioned_dir=${1#*=} # Delete everything up till "="
shift
;;
--runfile-name=*)
runfile_name=${1#*=} # Delete everything up till "="
shift
;;
--site-host-name=*)
site_host_name=${1#*=} # Delete everything up till "="
shift
;;
-*)
echo "WARN: Unknown option (ignored): $1" >&2
shift
;;
*) # no more options. Stop while loop
break
;;
esac
done
runfile="${provisioned_dir}/${runfile_name}"
if [ -f "${runfile}" ]; then
echo "${description}: Already run."
exit 0
fi
echo "add cert to keystore"
echo -n | \
openssl s_client -connect ${site_host_name}:443 \
| sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' \
> /tmp/${site_host_name}.cert
/opt/lucee/jdk/jre/bin/keytool \
-import \
-keystore /opt/lucee/lib/lucee-server/context/security/cacerts \
-alias "${site_host_name} (self-signed)" \
-storepass changeit \
-file /tmp/${site_host_name}.cert \
-noprompt \
|| true
touch "${runfile}"