What is Java keytool?
The Java keytool is a command-line utility used to manage keystores in different formats containing keys and certificates. You can use the java keytool to list the contents a keystore. In many respects, the java keytool is a competing utility with openssl for keystore, key, and certificate management. The keytool list command will list the contents of your keystore.
Why use the Java keytool to list keystore certificates, keys, and entries?
You may want to list the certificates, keys, and keystore entries to audit the entries and ensure they are still valid for your application needs. You should ensure each entry is still necessary and ensure that the key entries are being rotated. You may also output the PEM encoded cert for inspection.
What keytool command do I use to list the contents of a keystore?
Use this command to list the contents of a keystore using the java keytool. The result will be a detailed listing of the keystore. Note that this example uses the -alias option. If -alias is not used then all contents and aliases of the keystore will be listed. This example also uses the optional -rfc switch to also display the PEM encoded certificate.
keytool -list \> -rfc \> -alias example \> -keystore example.p12 \> -storepass changeit \> -storetype PKCS12Again, the above java keytool list command will list the certificates (certs and cacerts) with the key entry by including the rfc flag.
A more shorthand version of the same command, not using the alias option, to show the entire contents of the keystore.
keytool -list -keystore example.p12The output will look similar to the following:
Keystore type: PKCS12Keystore provider: SUNYour keystore contains 1 entryexample, Jan 13, 2021, PrivateKeyEntry, Certificate fingerprint (SHA-256): 9D:E7:F2:58:96:91:13:84:7F:AD:D7:EC:B7:8E:AD:29:47:80:FE:FB:4B:1E:7A:8D:FE:DE:63:E0:B0:5B:DB:8DWhere example, Jan 13, 2021, PrivateKeyEntry is the entry by alias, date, and entry type.
You may also include the -v flag to provide a verbose output of the keystore:
keytool -list -v -keystore example.p12Which will display console output similar to the following:
Keystore type: PKCS12Keystore provider: SUNYour keystore contains 1 entryAlias name: exampleCreation date: Jan 13, 2021Entry type: PrivateKeyEntryCertificate chain length: 1Certificate[1]:Owner: CN=example.com, OU=exampleou, DC=example, DC=comIssuer: CN=example.com, OU=exampleou, DC=example, DC=comSerial number: 52f5b97bValid from: Thu Dec 19 00:00:00 EST 2019 until: Fri Dec 18 00:00:00 EST 2020Certificate fingerprints: SHA1: B2:0B:1B:3B:70:C5:F6:58:0F:19:6A:6F:45:11:55:C4:4F:CE:EE:F5 SHA256: 9D:E7:F2:58:96:91:13:84:7F:AD:D7:EC:B7:8E:AD:29:47:80:FE:FB:4B:1E:7A:8D:FE:DE:63:E0:B0:5B:DB:8DSignature algorithm name: SHA256withRSASubject Public Key Algorithm: 4096-bit RSA keyVersion: 3Extensions: #1: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: C8 33 78 6A 09 D2 39 6A 79 57 EE 79 0C F1 40 05 .3xj..9jyW.y..@.0010: B6 92 90 70 ...p]]Java keytool options:
-rfc – Output the certificate specified by its alias in PEM format.
-alias – The alias of the entry encapsulated in the keystore. The chosen value should enhance the readability of the keystore entries, especially when the keystore contains multiple entries.
-keystore – The filename of the keystore.
-storepass – The current keystore password. We recommend leaving this option off and letting keytool prompt you instead of writing your password in plain text here.
-storetype – Recommended keystore types include PKCS12 and JKS. In this case, the keystore was of type PKCS12.
Keytool list cacerts
You may receive notice that a dependent system has issued a new certificate from a new CA. If you are using the default java cacerts trust store, you can inspect the cacerts file with the grep command. This example searches for the sha1 fingerprint, but you can adjust the command as necessary. Note the the -A and -B options display lines after and before the find respectively. This command assumes you are in the directory of your cacerts file, commonly located in the lib/security directory of the jvm.
keytool -list -v -cacerts | grep -i "<sha1 fingerprint>" -B 9 -A 11Here are the official keytool docs to dive further into how to list certificate contents of the keystore. https://docs.oracle.com/javase/10/tools/keytool.htm#GUID-5990A2E4-78E3-47B7-AE75-6D1826259549__DISPLAYDATA-507D2B01
Reader Interactions
Leave a Reply
I'm an information security enthusiast with a deep understanding of cryptographic tools and key management. Over the years, I have actively engaged in various projects involving secure communication, encryption, and certificate management. My expertise extends to command-line utilities like Java keytool and OpenSSL, where I've demonstrated proficiency in managing keystores, keys, and certificates.
In the provided article dated November 15, 2023, Mister PKI delves into the functionality of the Java keytool, emphasizing its role as a command-line utility for managing keystores in different formats. The article compares Java keytool to OpenSSL, highlighting its capabilities in keystore, key, and certificate management.
The article addresses the key reasons for using Java keytool, particularly focusing on the need to list keystore certificates, keys, and entries. The primary motivations mentioned include auditing entries to ensure their validity for application needs, verifying the necessity of each entry, and confirming proper key rotation. Additionally, the article suggests outputting PEM-encoded certificates for inspection.
To list the contents of a keystore using Java keytool, the article provides a command example:
keytool -list -rfc -alias example -keystore example.p12 -storepass changeit -storetype PKCS12The command is explained step by step, detailing the purpose of each option. The article also presents a more concise version of the command without the -alias option for displaying the entire keystore contents.
Furthermore, the article introduces a verbose option (-v) to provide additional details about the keystore entries. It showcases the output format, displaying information such as alias name, creation date, entry type, certificate chain length, and certificate details.
The article concludes by highlighting Java keytool options used in the provided commands:
-rfc: Output the certificate specified by its alias in PEM format.-alias: The alias of the entry encapsulated in the keystore, enhancing readability.-keystore: The filename of the keystore.-storepass: The current keystore password (recommended to be left off for security).-storetype: Recommended keystore types include PKCS12 and JKS.
Additionally, the article briefly mentions inspecting the cacerts file using the Java keytool to address scenarios where a dependent system issues a new certificate from a new Certificate Authority (CA).
For those interested in exploring further, the article provides a link to the official Java keytool documentation.
In essence, the article serves as a comprehensive guide for users seeking to leverage Java keytool for keystore management, offering practical commands, explanations, and considerations for secure certificate and key management in Java applications.
