Check Root CA expiry date in cacerts file

This script is intended to check the expiry date for root certificates in a cacert file. The idea is that expired certificates can be purged from the cacerts file, some applications we have encountered seem the have a limit on the number of certificates they will process, although the cacerts file itself has no limit.

An edited example run through is below:

[user@app01 cacert-stuff]$ ./certexpirydates.sh cacert-13-10-2011

Listing all the CA aliases in cacert-13-10-2011 to a file..........................................................
Sorting to date order.

CA roots sorted by expiry year.
===============================

2006,  Thu Feb 23 23:59:00 UTC 2006, gtecybertrustca
2008,  Thu Feb 14 05:02:09 UTC 2008, ws-client
2010,  Thu Jan 07 23:59:59 UTC 2010, verisignserverca
2011,  Mon Oct 24 23:59:59 UTC 2011, verisign_class_3_bsq
2011,  Thu Nov 10 07:01:01 UTC 2011, wwca
2013,  Mon Mar 11 14:29:01 UTC 2013, orbisuk
2013,  Wed Aug 14 23:59:00 UTC 2013, gtecybertrust5ca
2014,  Wed Oct 29 00:44:53 UTC 2014, tahoeca
2014,  Wed Sep 17 18:27:59 UTC 2014, lastcsfs02-rootcer
2015,  Tue Feb 10 18:32:36 UTC 2015, lastcs101
2017,  Fri Aug 18 22:28:14 UTC 2017, partygamingprodrootca
2017,  Fri Aug 18 22:32:34 UTC 2017, partygamingprodca
2018,  Mon Aug 13 23:59:00 UTC 2018, gtecybertrustglobalca
2018,  Wed Aug 22 16:41:51 UTC 2018, equifaxsecureca

This is the code:-

[user@app01 cacert-stuff]$ more certexpirydates.sh
#!/bin/bash
#written Andrew Stringer 08/11/2011

#This checks all the expiry dates of the root ca's contained in the cacerts file.

KEYTOOL=/usr/pkg/weblogic/9.2.2/jdk150_14/bin/keytool
#CACERTS=/home/user/cacerts.txt
CACERTS=$1
if [ "$1" = "" ]
 then
   echo "You need to provide the name of a cacert file, eg. ./certexpirydates.sh ./cacert-10-10-2011."
   exit 1
fi

STOREPASS=changeit
TMP1=/tmp/cacertsort1-$$
TMP2=/tmp/cacertsort2-$$


#example entry for each root ca
#verisignclass3g2ca, 25-Mar-2004, trustedCertEntry,
#Certificate fingerprint (MD5): A2:33:9B:4C:74:78:73:D4:6C:E7:C1:F3:8D:CB:5C:E9

#create a list of aliases which form the loop to test each entry in turn, tail gets rid of unwanted info at top of
#keytool output

echo " "
echo -n "Listing all the CA aliases in ${CACERTS} to a file."
for ALIAS in `${KEYTOOL} -list -keystore ${CACERTS} -storepass ${STOREPASS}  | tail +7 | grep -v Certificate | cut -d, -f 1 -`
do
        EXPIRYSTRING=`${KEYTOOL} -list -v -alias ${ALIAS} -keystore ${CACERTS} -storepass ${STOREPASS} | grep Valid | cut -d: -f 5-`
        EXPYEAR=`echo ${EXPIRYSTRING} | cut -d' ' -f 6`

        echo "${EXPYEAR}, ${EXPIRYSTRING}, ${ALIAS}" >> ${TMP1}
        echo -n "."
done

#sort in to year order
echo " "
echo "Sorting to date order."
echo " "

cat  "${TMP1}" | sort > ${TMP2}

echo "CA roots sorted by expiry year."
echo "==============================="
more  "${TMP2}"



#clear up mess
rm ${TMP1}
rm ${TMP2}

exit 0
[user@app01 cacert-stuff]$

rb/rootcaexpirycheck.txt · Last modified: 10/10/2013 14:21 (external edit)