We have a need to import some internal certs into the Java keystore each time that we update Java on our systems. That process is working reasonably well using Java’s keytool.exe. My challenge is how to create relevance in BigFix that knows when we have installed those certs so the fixlet I created isn’t relevant after they’ve been imported. I figure I could just add a file to that folder when the import happens and base my relevance upon whether that file is present, but that assumes that the import actually happened successfully. Anyone have suggestions on a better way to check that?
I (very grudginly) based mine on the size and sha1 of a known-good cacerts file. I kept one for jre7, one for jre8, etc. and replaced the default cacerts with my own for each minor update.
Use the list option of Keytool and direct the output to a file. Then you can use relevance to examine the file for whatever you are seeking to validate.
Jason, are you just replacing the default cacerts file with your version of it with each new Java install instead of doing an import using keytool?
Yes that’s what I’m doing
Here is the Keytool syntax to add a public key to trust:
keytool.exe -importcert -noprompt -trustcacerts -alias display_name_for_CA -file file_containing_CA_key_to_trust -keystore path_to_CACERTS_or_truststore -storepass changeit_for_default_cacerts_or_custom_truststore_password
Keytool syntax to generate a list of CA public keys that are trusted:
keytool.exe -list -keystore CACERTS_or_custom_truststore -storepass changeit_for_default_cacerts_or_custom_truststore_password > trust_file_list.log
I have gotten in the habit of running the list function to dump out current state every time I import anything into the trust store. That way the log is always current.
Now you can make tasks whose relevance parses trust_file_list.log to determine if the proper certs are present.
Likewise you could do an analysis of trust_file_list.log to create a report.
1 Like