This script takes a cacerts file and exports all the root certs in it to a directory. See another script in this section for assembling a custom cacerts file from individual CA root files. Written for use with WebLogic cacert file.

[user@app01 cacert-stuff]$ more exportCARoots.sh
#!/bin/bash
#exportCARoots.sh
#written Andrew Stringer 08/11/2011

#This extracts the root ca's contained in the cacerts file to individual certificates.

EXPORTPATH=/home/user/scripts/cacert-stuff/root-certs

KEYTOOL=/usr/pkg/weblogic/9.2.2/jdk150_14/bin/keytool
CACERTS=$1
if [ "$1" = "" ]
 then
   echo "You need to provide the name of a cacert file, eg. ./ exportCARoots.sh ./cacert-10-10-2011."
   exit 1
fi

STOREPASS=changeit
TMP1=/tmp/exportCAroots1-$$


#example entry for each root ca
#verisignclass3g2ca, 25-Mar-2004, trustedCertEntry,
#Certificate fingerprint (MD5): A2:33:9B:4C:74:78:73:D4:6C:E7:C1:F3:8D:CB:5C:E9

#create a list of aliases which form the loop to test each entry in turn, tail gets rid of unwanted info at top of
#keytool output

echo " "
echo "Step 1, Listing all the CA aliases in ${CACERTS} to a file."
echo "Step 2, exporting CA roots."
for ALIAS in `${KEYTOOL} -list -keystore ${CACERTS} -storepass ${STOREPASS}  | tail +7 | grep -v Certificate | cut -d, -f 1 -`
do
        ${KEYTOOL} -export -rfc -v -alias ${ALIAS} -file ${EXPORTPATH}/${ALIAS}.cer -keystore ${CACERTS} -storepass ${STOREPASS} > ${TMP1} 2>&1
        echo -n "."
done

echo " "
echo "CA roots exported."
echo "=================="

for FILE in `${KEYTOOL} -list -keystore ${CACERTS} -storepass ${STOREPASS}  | tail +7 | grep -v Certificate | cut -d, -f 1 -`
do
        ls -1  ${EXPORTPATH}/${FILE}*
done

#clear up our mess
rm ${TMP1}

exit 0
[user@app01 cacert-stuff]$