Keytool, a command-line utility included with Java, allows you to manage keystores and certificates. Among its many functionalities, printing and viewing certificates stored in a keystore are common tasks. These operations help verify the certificate details, check validity, and ensure proper configuration in Java-based applications.
This article explains how to use Keytool to print and view certificates, provides examples of the most commonly used commands, and highlights best practices for keystore management.
TL;DR
Use Keytool to print certificate details from a keystore:
keytool -list -keystore <keystore_file>
To view a specific certificate:
keytool -list -keystore <keystore_file> -alias <alias_name>
Keytool is included with the Java Development Kit (JDK). Ensure the JDK is installed and the Keytool binary is in your system’s PATH.
Printing All Certificates in a Keystore
To view a list of all certificates stored in a keystore, use the -list
command.
Syntax:
keytool -list -keystore <keystore_file>
Example:
keytool -list -keystore mykeystore.jks
Output:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
server-cert, Nov 20, 2024, trustedCertEntry,
Certificate fingerprint (SHA-256): AB:CD:EF:12:34:56:78:90:...
client-cert, Nov 18, 2024, trustedCertEntry,
Certificate fingerprint (SHA-256): 98:76:54:32:10:FE:DC:BA:...
Viewing a Specific Certificate
To view details of a specific certificate, include the -alias
option along with the keystore.
Syntax:
keytool -list -keystore <keystore_file> -alias <alias_name>
Example:
keytool -list -keystore mykeystore.jks -alias server-cert
Output:
Alias name: server-cert
Creation date: Nov 20, 2024
Entry type: trustedCertEntry
Owner: CN=socketdaddy.com, OU=IT, O=SocketDaddy, L=Bengaluru, ST=KA, C=IN
Issuer: CN=Example CA, OU=Certification Authority, O=Example Inc, L=San Francisco, ST=CA, C=US
Serial number: 1234567890ABCDEF
Valid from: Mon Nov 20 00:00:00 UTC 2024 until: Tue Nov 20 00:00:00 UTC 2025
Certificate fingerprints:
SHA1: 12:34:56:78:90:AB:CD:EF:12:34:56:78:90:AB:CD:EF
SHA256: AB:CD:EF:12:34:56:78:90:...
Printing Certificates in Human-Readable Format
To view certificates in a more readable format, export the certificate and decode it using the openssl
tool.
Step 1: Export the Certificate
Export the certificate using the -exportcert
option:
keytool -exportcert -keystore <keystore_file> -alias <alias_name> -file <output_file>
Example:
keytool -exportcert -keystore mykeystore.jks -alias server-cert -file server-cert.crt
Step 2: Decode the Certificate
Use openssl
to decode the exported certificate:
openssl x509 -in <output_file> -text -noout
Example:
openssl x509 -in server-cert.crt -text -noout
Common Issues and Solutions
Invalid Keystore Password
- Cause: Incorrect password provided for the keystore.
- Solution: Verify the password or reset it if possible using backup credentials.
Alias Not Found
- Cause: The specified alias does not exist in the keystore.
- Solution: List all entries in the keystore to verify the correct alias name.
keytool -list -keystore mykeystore.jks
Keytool Command Not Found
- Cause: Keytool is not in the system’s PATH.
- Solution: Add the JDK’s
bin
directory to the PATH environment variable.
export PATH=$PATH:/path/to/jdk/bin