Project

General

Profile

Actions
Copy link

Task #2774

open

Certificate is not imported into truststore when filenames differ only by case

Added by Petr Fišer about 3 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Start date:
04/22/2021
Due date:
% Done:

0%

Estimated time:
Owner:

Description

When I have two certificates which names differ only by case-ness, the latter one does not get imported into truststore. This is because keytool converts all -alias to lowercase and a conflict of "alias already exists" arises.

Originally discovered on tomcat-docker project when rewriting its truststore generation.
I used connector server container's generation algorithm and discovered this bug.

[fiisch@dockerhost certs]$ md5sum *
9799b6ed6fd86ec34d6efb3d3e86aa5a  brainfart.fiisch.cz.crt
03e335fab7ee0a6e5d24aac574ccbcb0  letsencrypt-dst-root-ca-x3.pem
2942abe932270af85931ba03d1341ce9  letsencrypt-DST-ROOT-CA-X3.pem

appserver    | [/runscripts/runEvery.d/000_002-generateJavaTruststore.sh] Creating Tomcat Java truststore...
appserver    | removed ‘/opt/tomcat/truststore/truststore.jks’
appserver    | [/runscripts/runEvery.d/000_002-generateJavaTruststore.sh] importing certificates from: /opt/tomcat/truststore/certs/ ...
appserver    | [/runscripts/runEvery.d/000_002-generateJavaTruststore.sh] Importing certificate brainfart.fiisch.cz.crt
appserver    | Certificate was added to keystore
appserver    | [/runscripts/runEvery.d/000_002-generateJavaTruststore.sh] Importing certificate letsencrypt-dst-root-ca-x3.pem
appserver    | Certificate was added to keystore
appserver    | [/runscripts/runEvery.d/000_002-generateJavaTruststore.sh] Importing certificate letsencrypt-DST-ROOT-CA-X3.pem
appserver    | keytool error: java.lang.Exception: Certificate not imported, alias <letsencrypt-DST-ROOT-CA-X3.pem> already exists
appserver    | [/runscripts/runEvery.d/000_002-generateJavaTruststore.sh] Truststore generation done.

As a solution, I suffixed the alias with import timestamp up to millisecond precision to avoid the possible conflict.

-  keytool -importcert -file "$TOMCAT_TRUSTSTORE/certs/$f" -alias "$f" -keystore $truststorepath -storepass changeit -noprompt
+  keytool -importcert -file "$TOMCAT_TRUSTSTORE/certs/$f" -alias "$f-$(date +%s.%3N)" -keystore $truststorepath -storepass changeit -noprompt

No data to display

Actions
Copy link

Also available in: Atom PDF