--- /dev/null
+#! /bin/sh -e
+
+bad_issuers="
+O = Digital Signature Trust Co., CN = DST Root CA X3
+"
+
+case $# in
+ 1) certs=$1 ;;
+ *) echo >&2 "usage: $0 CERTLIST-FILE"; exit 2 ;;
+esac
+
+nl="
+"
+mode=skip all=
+while IFS= read -r line; do
+ case $line,$mode in
+ "-----BEGIN CERTIFICATE-----",skip)
+ mode=keep
+ buf="$line$nl"
+ ;;
+ "-----END CERTIFICATE-----",keep)
+ mode=skip
+ buf="$buf$line"
+ keep=t
+ case "$nl$nl$all$nl$nl" in
+ *"$nl$nl$buf$nl$nl"*) keep=nil ;;
+ esac
+ case $keep in
+ t)
+ issuer=$(echo "$buf" | openssl x509 -noout -issuer)
+ case $bad_issuers in $"$nl$issuer$nl"*) keep=nil ;; esac
+ ;;
+ esac
+ case $keep in t) all="${all:+$all$nl$nl}$buf" ;; esac
+ ;;
+ *,keep) buf="$buf$line$nl" ;;
+ esac
+done <"$certs"
+
+case $all in "") echo >&2 "$0: no certificates found"; exit 127 ;; esac
+echo "$all"