Actions
Task #2774
openCertificate is not imported into truststore when filenames differ only by case
Status:
New
Priority:
Normal
Assignee:
-
Start date:
04/22/2021
Due date:
% Done:
0%
Estimated time:
Owner:
Description
When I have two certificates which names differ only by case-ness, the latter one does not get imported into truststore. This is because keytool converts all -alias
to lowercase and a conflict of "alias already exists" arises.
Originally discovered on tomcat-docker project when rewriting its truststore generation.
I used connector server container's generation algorithm and discovered this bug.
[fiisch@dockerhost certs]$ md5sum * 9799b6ed6fd86ec34d6efb3d3e86aa5a brainfart.fiisch.cz.crt 03e335fab7ee0a6e5d24aac574ccbcb0 letsencrypt-dst-root-ca-x3.pem 2942abe932270af85931ba03d1341ce9 letsencrypt-DST-ROOT-CA-X3.pem
appserver | [/runscripts/runEvery.d/000_002-generateJavaTruststore.sh] Creating Tomcat Java truststore... appserver | removed ‘/opt/tomcat/truststore/truststore.jks’ appserver | [/runscripts/runEvery.d/000_002-generateJavaTruststore.sh] importing certificates from: /opt/tomcat/truststore/certs/ ... appserver | [/runscripts/runEvery.d/000_002-generateJavaTruststore.sh] Importing certificate brainfart.fiisch.cz.crt appserver | Certificate was added to keystore appserver | [/runscripts/runEvery.d/000_002-generateJavaTruststore.sh] Importing certificate letsencrypt-dst-root-ca-x3.pem appserver | Certificate was added to keystore appserver | [/runscripts/runEvery.d/000_002-generateJavaTruststore.sh] Importing certificate letsencrypt-DST-ROOT-CA-X3.pem appserver | keytool error: java.lang.Exception: Certificate not imported, alias <letsencrypt-DST-ROOT-CA-X3.pem> already exists appserver | [/runscripts/runEvery.d/000_002-generateJavaTruststore.sh] Truststore generation done.
As a solution, I suffixed the alias with import timestamp up to millisecond precision to avoid the possible conflict.
- keytool -importcert -file "$TOMCAT_TRUSTSTORE/certs/$f" -alias "$f" -keystore $truststorepath -storepass changeit -noprompt + keytool -importcert -file "$TOMCAT_TRUSTSTORE/certs/$f" -alias "$f-$(date +%s.%3N)" -keystore $truststorepath -storepass changeit -noprompt
No data to display
Actions