Compare Java Certificate Stores – cacerts


You want to compare two cacerts java certificate stores.

Say comparing development server against prod, to ensure they both have same certs stored in cacerts (sampled by java among others).



This can come in very handy, if you need to compare 2 different projects or envs. See the example.



Code to generate list of certs, along with there alias, entry, owner and valid dates.

Start in the directory where your cacerts file resides.

../../../bin/keytool -list -v -keystore cacerts -storepass changeit | gawk ' {
if(/Alias name/) {
if(alias != /^$/) { printf("%s: [%s] %s [from: %s]n",alias,entry,owner,valid); }
if(/Entry type/) { entry=$NF; }
if(/Owner/) { owner=$2" "$3; }
if(/Valid/) { valid=$5"/"$4"/"$8; }
} END { printf("%s: [%s] %s [from: %s]n",alias,entry,owner,valid); }
' | sort

You may need to change gawk for nawk on Solaris, etc.

Dump this out into a file for each env. The run diff with something like this:

diff -s dump.cob | egrep -v -- "^([0-9]|--)" | sort | grep -vn xxx



[tags]openssl, cacerts, java certifications, comparing java certs, Unix Coding School[/tags]


If you have found my website useful, please consider buying me a coffee below 😉

Leave a Reply

Your email address will not be published. Required fields are marked *