Import DoD root certificates into linux CA store

add-dod-certs.sh

#!/bin/bash
# Imports DoD root certificates into Linux CA store
# Version 0.4.1 updated 20241216 by AfroThundr
# SPDX-License-Identifier: GPL-3.0-or-later

# For issues or updated versions of this script, browse to the following URL:
# https://gist.github.com/AfroThundr3007730/ba99753dda66fc4abaf30fb5c0e5d012

# Dependencies: curl gawk openssl unzip wget

set -euo pipefail
shopt -s extdebug nullglob

add_dod_certs() {
    local bundle cert certdir file form tmpdir url update
    trap '[[ -d ${tmpdir:-} ]] && rm -fr $tmpdir' EXIT INT TERM

    # Location of bundle from DISA site
    url='https://public.cyber.mil/pki-pke/pkipke-document-library/'
    bundle=$(curl -s $url | awk -F '"' 'tolower($2) ~ /dod.zip/ {print $2}')

    # Set cert directory and update command based on OS
    [[ -f /etc/os-release ]] && source /etc/os-release
    if [[ ${ID:-} =~ (fedora|rhel|centos) ||
        ${ID_LIKE:-} =~ (fedora|rhel|centos) ]]; then
        certdir=/etc/pki/ca-trust/source/anchors
        update='update-ca-trust'
    elif [[ ${ID:-} =~ (debian|ubuntu|mint) ||
        ${ID_LIKE:-} =~ (debian|ubuntu|mint) ]]; then
        certdir=/usr/local/share/ca-certificates
        update='update-ca-certificates'
    else
        certdir=${1:-} && update=${2:-}
    fi

    [[ ${certdir:-} && ${update:-} ]] || {
        printf 'Unable to autodetect OS using /etc/os-release.\n'
        printf 'Please provide CA certificate directory and update command.\n'
        printf 'Example: %s /cert/store/location update-cmd\n' "${0##*/}"
        exit 1
    }

    # Extract the bundle
    wget -qP "${tmpdir:=$(mktemp -d)}" "$bundle"
    unzip -qj "$tmpdir"/"${bundle##*/}" -d "$tmpdir"

    # Check for existence of PEM or DER format p7b.
    for file in "$tmpdir"/*_dod_{pem,der}.p7b; do
        # Iterate over glob instead of testing directly (SC2144)
        [[ -f ${file:-} ]] && form=${file%.*} && form=${form##*_} && break
    done
    [[ ${form:-} && ${file:-} ]] || { printf 'No bundles found!\n' && exit 1; }

    # Convert the PKCS#7 bundle into individual PEM files
    openssl pkcs7 -print_certs -inform "$form" -in "$file" |
        awk -v d="$tmpdir" \
            'BEGIN {c=0} /subject=/ {c++} {print > d "/cert." c ".pem"}'

    # Rename the files based on the CA name
    for cert in "$tmpdir"/cert.*.pem; do
        mv "$cert" "$certdir"/"$(
            openssl x509 -noout -subject -in "$cert" |
                awk -F '(=|= )' '{print gensub(/ /, "_", 1, $NF)}'
        )".crt
    done

    # Remove temp files and update certificate stores
    rm -fr "$tmpdir" && $update
}

# Only execute if not being sourced
[[ ${BASH_SOURCE[0]} == "$0" ]] || return 0 && add_dod_certs "$@"

@senterfd-jrg - I see the spaces in the filenames in /etc/ssl/certs/. It looks like it automatically added the underscores after running the update command, but I can understand wanting to add this to keep the file names consistent. Thanks for the catch! I'll be adding this to my code.

Also, I verified the issue you mentioned with the bundle URL. That's another helpful addition. Thanks!

Is this currently functional, as-is above? I see lots of suggestions for fixes, but wasn't sure if this is still being maintained.

@allebone - I use the code above with some of the modifications that the users have reported. @AfroThundr3007730 did incorporate a bunch of stuff as he mentioned. His script is a big help. The DoD site continually changes their structures which requires a modification to the script. I have come here to this chat and seen recommended updates within a day to hours of required changes based on DoD site changes.

I will see if I can talk to the team responsible for this, and perhaps suggest that they stabilize this

…

-------- Aaron Lippold ***@***.*** 260-255-4779 twitter/aim/yahoo,etc. 'aaronlippold'

On Tue, Apr 15, 2025 at 16:11 David Senterfitt ***@***.***> wrote: ***@***.**** commented on this gist. ------------------------------ @allebone <https://github.com/allebone> - I use the code above with some of the modifications that the users have reported. @AfroThundr3007730 <https://github.com/AfroThundr3007730> did incorporate a bunch of stuff as he mentioned. His script is a big help. The DoD site continually changes their structures which requires a modification to the script. I have come here to this chat and seen recommended updates within a day to hours of required changes based on DoD site changes. — Reply to this email directly, view it on GitHub <https://gist.github.com/AfroThundr3007730/ba99753dda66fc4abaf30fb5c0e5d012#gistcomment-5542141> or unsubscribe <https://github.com/notifications/unsubscribe-auth/AALK42GXWMSWIHJH7MKR4K32ZVRYBBFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVEYTAMRRHA3DAOBQU52HE2LHM5SXFJTDOJSWC5DF> . You are receiving this email because you commented on the thread. Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> .

@senterfd-jrg @AfroThundr3007730 I hope my comment wasn’t taken as a complaint or criticism. TBH, I was a little tired and on a small screen with a half-wit understanding of the GIST revisions tab. (Which I didn’t see until today)

I’m just getting started on a base install of 72 servers, and this problem plagues us! (Times a ton)

I’m not scripting savvy but if there is anything I can do to help…let me know. Or I can go back to lurking until someone wants a layman to test. :)