Problem

You want to compare two cacerts java certificate stores.

Say comparing development server against prod, to ensure they both have same certs stored in cacerts (sampled by java among others).

Solution

This can come in very handy, if you need to compare 2 different projects or envs. See the example.

Example

Code to generate list of certs, along with there alias, entry, owner and valid dates.

Start in the directory where your cacerts file resides.


../../../bin/keytool -list -v -keystore cacerts -storepass changeit | gawk ' {
if(/Alias name/) {
if(alias != /^$/) { printf("%s: [%s] %s [from: %s]n",alias,entry,owner,valid); }
alias=$NF;
}
if(/Entry type/) { entry=$NF; }
if(/Owner/) { owner=$2" "$3; }
if(/Valid/) { valid=$5"/"$4"/"$8; }
} END { printf("%s: [%s] %s [from: %s]n",alias,entry,owner,valid); }
' | sort


You may need to change gawk for nawk on Solaris, etc.

Dump this out into a file for each env. The run diff with something like this:


diff -s dump.cob dump.dev | egrep -v -- "^([0-9]|--)" | sort | grep -vn xxx


Reference

[tags]openssl, cacerts, java certifications, comparing java certs, Unix Coding School[/tags]

• Linux Man Pages – crontab command
• See a run through here
• Mark Foster’s cool openssl tips
• Paul Heinlein’s excellent and comprehensive openssl tips