#!/bin/bash # script/sync-dod-certs: update the CA bundle with DOD intermediate and root CAs CAS_FILE_NAME="Certificates_PKCS7_v5.3_DoD" CA_CHAIN="ssl/server-certs/ca-chain.pem" echo "Resetting CA bundle..." rm ssl/server-certs/ca-chain.pem &> /dev/null || true touch $CA_CHAIN if [[ $FLASK_ENV != "prod" ]]; then # only for testing and development echo "Copy in testing client CA..." cat ssl/client-certs/client-ca.crt >> $CA_CHAIN fi # dod intermediate certs echo "Adding DoD root certs" rm -rf tmp || true mkdir tmp curl --silent -o tmp/dod-cas.zip "https://iasecontent.disa.mil/pki-pke/$CAS_FILE_NAME.zip" unzip tmp/dod-cas.zip -d tmp/ &> /dev/null openssl pkcs7 -in "tmp/$CAS_FILE_NAME/$CAS_FILE_NAME.pem.p7b" -print_certs >> $CA_CHAIN rm -rf tmp