Bootstrap FreeKB - Java - List the certificates in a keystore or truststore using the Java keytool command
Java - List the certificates in a keystore or truststore using the Java keytool command
Updated:   |  Java articles

If you are not familiar with the Java keytool command, check out our Getting Started article.

The Java keytool command with the -list option can be used to view certificates in a Java keystore or truststore file.

AVOID TROUBLE

If the keystore or truststore type is PKCS12, the -storetype pkcs12 option must be used.

If the Java keystore or truststore is password protected, you will be prompted for the password.

~]$ keytool -keystore /path/to/keystore.p12 -storetype pkcs12 -list
Enter keystore password:

 

Or, the -storepass option can be used to provide the password on the command line.

  • PrivateKeyEntry contains a private key and typically the public certificates that make up the certificate chain (the root certificate authority (CA) certificate, the intermediate certificate authority (CA) certifiate, and the server certificate).
  • trustedCertEntry typically contains only the root certificate authority (CA) certificate but may contain the public certificates that make up the certificate chain (the root certificate authority (CA) certificate, the intermediate certificate authority (CA) certifiate, and the server certificate). A trustedCertEntry does not contain a private key.
~]# keytool -keystore /path/to/keystore.p12 -storetype pkcs12 -list -storepass itsasecret
Keystore type: pkcs12
Keystore provider: SUN

Your keystore contains 3 entries

DigiCert, Aug 21, 2023, trustedCertEntry, 
Certificate fingerprint (SHA1): 1E:0C:EB:DC:CA:E3:DC:16:76:77:EE:BE:91:9B:43:3D:9D:10:15:8E
GoDaddy, Oct 14, 2023, trustedCertEntry, 
Certificate fingerprint (SHA1): 8A:7B:10:43:A1:BE:78:D0:CF:12:9F:02:8C:99:F2:3D:1A:69:81:1D
example.com, May 12, 2023, PrivateKeyEntry,
Certificate fingerprint (SHA1): D0:80:B9:77:80:F9:DA:FF:77:54:4F:36:B1:A8:03:6F:25:EE:1C:72

 

The -v (verbose) option can be used to display the full details of each trustedCertEntry and PrivateKeyEntry in the keystore.

keytool -keystore /path/to/keystore.p12 -storetype pkcs12 -list -v

 

Or, the -alias option can be used to display the full details of a specific trustedCertEntry and PrivateKeyEntry in the keystore.

~]# keytool -keystore /path/to/keystore.p12 -storetype pkcs12 -list -v -alias example.com

Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: example.com
Creation date: Feb 10, 2023
Entry type: PrivateKeyEntry
Certificate chain length: 3
Certificate[1]:
Owner: CN=www.example.com, OU=Information Technology, O=Acme, L=Appleton, ST=WI, C=US
Issuer: CN=IntermediateCA, DC=example, DC=com
Serial number: 3a000001d8af30a16a44402b790001000001d8
Valid from: Wed Jun 29 14:30:15 UTC 2022 until: Thu Jun 29 14:30:15 UTC 2023
Certificate fingerprints:
         SHA1: D0:80:B9:77:80:F9:DA:FF:77:54:4F:36:B1:A8:03:6F:25:EE:1C:72
         SHA256: 14:8C:CD:59:A9:C4:48:45:33:28:C3:AE:E7:6C:B6:1E:0A:F5:3B:9C:64:E5:BB:02:69:30:81:D9:6D:5F:06:AD
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

 

The -rfc flag can be used to return the encoded certificate data.

keytool -keystore /path/to/keystore.p12 -storetype pkcs12 -list -rfc

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter 1ce858 in the box below so that we can be sure you are a human.