Is there a way in keytool to print the publick key of a certificate? I tried:
keytool -printcert -file client.crt
But it gives only the following information:
Owner: CN=client, OU=as, O=as, L=as, ST=as, C=as
Issuer: EMAILADDRESS=as, CN=ca, OU=as, O=as, L=as, ST=as, C=as
Serial number: 3
Valid from: Tue Apr 10 12:18:47 GMT+05:30 2012 until: Wed Apr 10 12:18:47 GMT+05
:30 2013
Certificate fingerprints:
MD5: 26:C0:29:E9:8C:AB:C3:9E:95:38:74:8A:87:D3:86:8D
SHA1: 5C:5A:BA:47:44:83:7E:CB:48:BE:DD:E5:39:51:24:42:C6:C5:60:8B
SHA256: DA:26:B8:C8:F4:04:3E:62:F3:7F:3B:EC:1D:9F:85:66:28:00:45:55:66:
15:FF:BB:37:77:97:59:F0:EC:0B:B6
Signature algorithm name: SHA1withRSA
Version: 1
There is no public key in this.
You can do it with:
keytool -list -rfc -keystore mykeystore.jks -alias certificate_alias -storepass password
Example run:
PS c:\sample> keytool -list -rfc -keystore mykeystore.jks -alias cert_alias -storepass password
Alias name: cert_alias
Creation date: Apr 25, 2014
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
-----BEGIN CERTIFICATE-----
MIIB4zCCAUygAwIBAgIIRzI14w7rL20wDQYJKoZIhvcNAQENBQAwMzELMAkGA1UEBhMCVVMxDTAL
BgNVBAoTBE5vbmUxFTATBgNVBAMTDE5vbmUgb3U9Tm9uZTAgFw0xNDA0MjQxNzQ0NDJaGA8yMTE0
MDQyNTE3NDQ0MlowMzELMAkGA1UEBhMCVVMxDTALBgNVBAoTBE5vbmUxFTATBgNVBAMTDE5vbmUg
b3U9Tm9uZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAivXBBtFnJTm1NbHysv3Mnpn/lCg6
1onJDxr/jkvI8+1Bljs1jktyYOeKDWxJwpDU7QyIqttgtDvRT4Yaew5WiQyADIyY0cBTvp3S7uKx
M5C3zxZdG6WTflU7xcYnGk3/d0VhwA6BL9YPsRaS/K+ww1yvxWKIOPW68wDe0ccvGWcCAwEAATAN
BgkqhkiG9w0BAQ0FAAOBgQB/5qDMA9fmlCWlOD9aHjBD6I8zAOSshMCFK8XcZJHowag8WtZyL3DR
insx2HoDlBewIJAEtAplo2NpeFyNtK93PS7zV+vwEYHCu46Db3klMksp3MmSXD39QPlmwfsGZlja
K8Ww0TsR5GtccFMH41KKa+PlvVZNEdZumdrca59olQ==
-----END CERTIFICATE-----
You can do that With openssl.
If this certificate is DER-encoded (binary), use:
openssl x509 -inform der -in client.crt -pubkey -noout
for PEM-encoded use -inform pem option (or no -inform at all).
To see details of public key, use:
openssl x509 -inform der -in client.crt -pubkey -noout | openssl rsa -pubin -text -noout
You can print the cert to pem format, then use openssl to print public key from the pem format.
add -rfc option to -printcert
keytool -printcert -rfc -file client.crt
save the output like below to a file client.pem
-----BEGIN CERTIFICATE-----
MIIB4zCCAUygAwIBAgIIRzI14w7rL20wDQYJKoZIhvcNAQENBQAwMzELMAkGA1UEBhMCVVMxDTAL
......
-----END CERTIFICATE-----
then use openssl
openssl x509 -inform pem -text -in client.pem
so you got the public key
Keytool list rfc just prints the base64 encoded version of whole certificate, not the public key. Keytool doesn't support the printing the public key of Certificate. We can use openssl for this purpose.
keytool -export -alias myalias -keystore mystore.jks | openssl x509 -inform der -pubkey -noout
Related
How can I replace a new intermediate CA Certificate in a keystore file?
Hi,
I have a keystore file running on a server to support Tomcat TLS/HTTPS services.
In this keystore file, there are 3 certificates -
end certificate (tomcat)
intermediate CA Certificate (my_ssl_ca_v2_b)
Root CA Certificate (my_root_ca)
Here is the cert list.
C:\Program Files\Java\jre1.8.0_144\bin>keytool.exe -list -keystore C:\mycert\
my.keystore
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 3 entries
tomcat, Oct 10, 2019, PrivateKeyEntry,
Certificate fingerprint (SHA1): 3C:15:E8:D0:46:A8:8D:1F:93:52:9D:54:35:48:69:71:ED:49:44:65
my_ssl_ca_v2_b, Oct 10, 2019, trustedCertEntry,
Certificate fingerprint (SHA1): 0C:C3:60:CB:C6:91:0A:90:E4:0G:91:BE:3B:A6:D7:5B:C3:7B:8A:0F
my_root_ca, Oct 10, 2019, trustedCertEntry,
Certificate fingerprint (SHA1): 6C:23:89:FA:A8:E5:7D:E1:45:BE:75:84:15:E8:D8:41:73:59:FD:19
It was working fine.
Couple of days before, the intermediate CA Certificate in the file was expired. I got the new updated intermediate CA Certificate later.
Now, the question is - how can I replace the expired intermediate CA Certificate in the keystore file with the new one?
I understand I can use keytool -delete and -import option to delete and re-import the intermediate CA my_ssl_ca_v2_b.
However, how can I replace the intermediate CA cert inside the PrivateKeyEntry (Alias tomcat) in the keystore file as following?
**Alias name: tomcat**
Creation date: Oct 10, 2019
Entry type: PrivateKeyEntry
Certificate chain length: 3
Certificate[1]:
...
...
Certificate[2]:
Owner: CN=My SSL CA v2 - A, O=eBay Inc, C=US
Issuer: CN=My Root CA, O=eBay Inc, C=us
Serial number: 6800000004b4491dd58df45b9b000000000004
**Valid from: Wed Oct 14 18:35:33 UTC 2015 until: Wed Oct 14 18:45:33 UTC 2020**
...
...
Certificate[3]:
Owner: CN=My Root CA, O=eBay Inc, C=us
Issuer: CN=My Root CA, O=eBay Inc, C=us
Serial number: 4500888247008e884cd02d71a035810e
I can't use keytool -delete and -import option to delete and re-import the alias tomcat with the End Cert file because that will delete the private key as well and the private key will never be back.
Can you please teach me the exact steps to replace a intermediate CA Certificate in keystore? Thanks a lot!
-Jun
This isn't really a programming or development question, even though you use the result on tomcat, and may get closed.
You need to create a file containing the whole chain -- end-entity, intermediate and root certs, in that order, in PEM. If you don't already have the EE cert in PEM you can extract it with keytool -export[cert] -keystore ksfile -alias tomcat -rfc -file eecert. Obviously you have the new intermedate cert that you just got, and if you don't have the root already (and it didn't change) export that also. You can combine the files with cat a b c >d on Unix or COPY a+b+c d on Windows, or use any text editor you like. Then import it to the privatekey entry like keytool -import[cert] -keystore ksfile -alias tomcat -file chainfile.
First I downloaded the certificate with:
echo "" | openssl s_client -connect io.lightstream.bitflyer.com:443 -showcerts 2>/dev/null | openssl x509 -out bitflyer.cer
Then I imported the certificate into a keychain:
keytool -import -file bitflyer.cer -alias bitflyer -keystore bitflyer.jks -storepass "abc123" -keypass "abc123"
So I'm trying to connect to io.lightstream.bitflyer.com:443. Below my full handshake:
Sending HTTP handshake! req=GET / HTTP/1.1
Host: io.lightstream.bitflyer.com
Connection: Upgrade
Pragma: no-cache
Cache-Control: no-cache
Upgrade: websocket
Sec-WebSocket-Key: 0enPg4mnHvLcT6s7+4mEGA==
Origin: http://www.websocket.org
Sec-WebSocket-Version: 13
But then I get:
Caused by: sun.security.validator.ValidatorException: Certificate signature validation failed
at sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:215)
at sun.security.validator.Validator.validate(Validator.java:262)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:330)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:289)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1626)
... 16 more
Caused by: java.security.SignatureException: Signature does not match.
at sun.security.x509.X509CertImpl.verify(X509CertImpl.java:449)
at sun.security.x509.X509CertImpl.verify(X509CertImpl.java:392)
at sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:213)
... 21 more
Any ideas what am I doing wrong or how to debug that? Thanks!
openssl s_client -connect io.lightstream.bitflyer.com:443
The certificates you get here depend on the OpenSSL version. Up to 1.0.2 the server_name extension (SNI) was not automatically used (i.e. you had to explicitly to use -servername) and without the the resulting certificate is a self-signed certificate for "Kubernetes Ingress Controller Fake Certificate". With SNI though the certificate is the proper certificate for "io.lightstream.bitflyer.com".
My guess is that you actually added to the certificate for "Kubernetes Ingress Controller Fake Certificate" while Java is using SNI and thus getting the certificate for "io.lightstream.bitflyer.com" instead. Or it might be the other way around, depending on your version of OpenSSL, of Java and of the actual Java code.
I have sucessfully imported the certificate by below command:
keytool -import -alias "alias-name" -file
"C:\somepath\Certificate\portal.cer
-keystore C:\Program Files\Java\jdk1.7.0_79\jre\lib\cacerts"
Now I am trying to delete the imported certificate with
keytool -delete -alias "alias-name" -keystore
"C:\Program Files\Java\jdk1.7.0_79\jre\lib\cacerts" -storepass changeit
But I am end with the below error message:
KeyTool error : java.lang.Exception : Alias does not exist
For Ubuntu / Linux
List all entries from your keystore with the respective alias
keytool -list -v -keystore "myKeyStore.jks" -storepass myPassword
The verbose option '-v' is important, in order to see the aliases
Example output:
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 2 entries
Alias name: 1
Creation date: Dec 4, 2019
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=yourname.com, O=Your Name, C=XX
Issuer: CN=Issuer CA, O=Issuer Name, C=XX
Serial number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Valid from: Mon Feb 25 10:04:56 GMT 2019 until: Wed Feb 24 10:04:56 GMT 2021
Certificate fingerprints:
SHA1: 9F:35:31:B1:A9:C2:37:8D:61:2F:9B:ED:82:3F:45:26:E1:D9:18:83
SHA256: 34:65:C8:B6:4D:24:9D:20:3C:24:7B:B7:7B:F5:6B:F3:BE:79:11:BE:4F:8C:21:D2:9E:86:CC:AD:17:84:01:C4
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
...
Check if the alias exists. You can list all entries using:
keytool -list -keystore "C:\Program Files\Java\jdk1.7.0_79\jre\lib\cacerts" -storepass changeit
This command will show all existing aliases in the file. If it's not there, that's why you can't delete it.
In sometimes you may get this error even the alias present in the keystore. Which may be you are not given the alias name properly while passing as arguments.
Ex : letsencryptisrgx1 [jdk]
In the above alias name you can see the square brackets which is the issue in my case.
When I give the entire name in double quotes it works.
$JAVA_HOME/bin/keytool -list -v -alias "letsencryptisrgx1 [jdk]" -keystore $JAVA_HOME/lib/security/cacerts
I am trying to install SSL certificate in Tomcat7. This is what i have done so far.
installed ssl certificate received on email
sudo ./keytool -import -trustcacerts -alias download.addressdoctor -keystore /usr/local/tomcat7/bin/keystore.jks -file /usr/local/tomcat7/conf/certx509.cer
Installed Intermediate certificate
sudo ./keytool -import -trustcacerts -alias intermediate -keystore /usr/local/tomcat7/bin/keystore.jks -file /usr/local/tomcat7/conf/combined.cer
These is my entries in keystore
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
Alias name: adnewkey
Creation date: Sep 10, 2014
Entry type: trustedCertEntry
Owner: CN=website.com, OU=IT, O=company, L=City, ST=state, C=country
*******************************************
*******************************************
Alias name: mykey
Creation date: Sep 10, 2014
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=website.com, OU=IT, O=company
Now if i try to check the certificate through https://ssltools.websecurity.symantec.com/checker/views/certCheck.jsp
It says it is self signed certificate, whereas i installed the certificate received from verisign. If i remove the entry "alias mykey" then it will show error no root certificate found.
Can you please help me in pointing out what i am doing wrong, also for running SSL certificate what values should be present in the keystore.
Thanks,
I want to use Google Maps in my application, I have followed this tutorial to generate MD5 fingerprint of my eventappkey.keystore. But keytool generates SHA1 fingerprint instead of MD5, due to which I am unable to register for Google Api as google accepts MD5 fingerprint of keystore.
I have looked at other answers which suggest to use jdk1.6. But is there a better way so that I do not need to move to jdk1.6. Any suggestion would be greatly appreciated.
If you add the -v (verbose) option to your command line, like
keytool -v -list -alias alias_name -keystore my-release-key.keystore
it should show you the MD5 fingerprint
If use android studio then use this method :
Syntax:
keytool -list -v -keystore "%USERPROFILE%\.android\debug.keystore" -alias androiddebugkey -storepass android -keypass android
Example:
C:\Program Files\Java\jdk1.7.0_71\bin>keytool -list -v -keystore c:\users\your_u
ser_name\.android\debug.keystore -alias androiddebugkey -storepass android -keyp
ass android
keytool error: java.lang.Exception: Keystore file does not exist: c:\users\your_
user_name\.android\debug.keystore
java.lang.Exception: Keystore file does not exist: c:\users\your_user_name\.andr
oid\debug.keystore
at sun.security.tools.KeyTool.doCommands(KeyTool.java:738)
at sun.security.tools.KeyTool.run(KeyTool.java:340)
at sun.security.tools.KeyTool.main(KeyTool.java:333)
C:\Program Files\Java\jdk1.7.0_71\bin>keytool -list -v -keystore C:\Users\sriniv
as\.android\debug.keystore -alias androiddebugkey -storepass android -keypass an
droid
Alias name: androiddebugkey
Creation date: Apr 8, 2015
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Android Debug, O=Android, C=US
Issuer: CN=Android Debug, O=Android, C=US
Serial number: 4e7c69e7
Valid from: Wed Apr 08 15:17:20 IST 2015 until: Fri Mar 31 15:17:20 IST 2045
Certificate fingerprints:
MD5: 9D:C3:05:CB:FF:CA:06:31:8C:FC:FE:44:6C:94:BC:90
SHA1: 2F:88:EF:9D:1B:3E:35:87:18:7D:56:B5:95:83:9A:EF:C1:B3:25:B4
SHA256: 0F:D2:BC:2C:58:1B:16:3D:E3:5C:76:7D:C3:49:3A:A0:9D:95:4E:3E:6B:
71:0B:F7:2B:23:72:54:B8:57:62:A2
Signature algorithm name: SHA256withRSA
Version: 3