Java - List the certificates in a keystore or truststore using the Java keytool command
by Jeremy Canfield | Updated: February 10 2023 | Java articles
If you are not familiar with the Java keytool command, check out our Getting Started article. TheJava keytool command with the-listoptioncan be used to view certificates in a Java keystore or truststore file. AVOID TROUBLE
If the keystore or truststore type is PKCS12, the-storetype pkcs12option must be used.
If the Java keystore or truststore is password protected, you will be prompted for the password.
~]$ keytool -keystore /path/to/keystore.p12 -storetype pkcs12 -listEnter keystore password:
Or, the-storepassoption can be used to provide the password on the command line.
- PrivateKeyEntrycontains a private key and typically the public certificates that make up the certificate chain (the root certificate authority (CA) certificate, the intermediate certificate authority (CA) certifiate, and the server certificate).
- trustedCertEntrytypically contains only the root certificate authority (CA) certificate but may contain thepublic certificates that make up the certificate chain (the root certificate authority (CA) certificate, the intermediate certificate authority (CA) certifiate, and the server certificate). A trustedCertEntry does not contain a private key.
~]# keytool -keystore /path/to/keystore.p12 -storetype pkcs12 -list -storepass itsasecretKeystore type: pkcs12Keystore provider: SUNYour keystore contains 3 entriesDigiCert, Aug 21, 2023, trustedCertEntry, Certificate fingerprint (SHA1): 1E:0C:EB:DC:CA:E3:DC:16:76:77:EE:BE:91:9B:43:3D:9D:10:15:8EGoDaddy, Oct 14, 2023, trustedCertEntry, Certificate fingerprint (SHA1): 8A:7B:10:43:A1:BE:78:D0:CF:12:9F:02:8C:99:F2:3D:1A:69:81:1Dexample.com, May 12, 2023, PrivateKeyEntry,Certificate fingerprint (SHA1): D0:80:B9:77:80:F9:DA:FF:77:54:4F:36:B1:A8:03:6F:25:EE:1C:72
The -v (verbose) optioncan be used to display the full details of each trustedCertEntry andPrivateKeyEntry in the keystore.
keytool -keystore /path/to/keystore.p12 -storetype pkcs12 -list -v
Or, the-aliasoption can be used to display the full details of a specifictrustedCertEntry andPrivateKeyEntry in the keystore.
~]# keytool -keystore /path/to/keystore.p12 -storetype pkcs12 -list -v -alias example.comKeystore type: PKCS12Keystore provider: SUNYour keystore contains 1 entryAlias name: example.comCreation date: Feb 10, 2023Entry type: PrivateKeyEntryCertificate chain length: 3Certificate[1]:Owner: CN=www.example.com, OU=Information Technology, O=Acme, L=Appleton, ST=WI, C=USIssuer: CN=IntermediateCA, DC=example, DC=comSerial number: 3a000001d8af30a16a44402b790001000001d8Valid from: Wed Jun 29 14:30:15 UTC 2022 until: Thu Jun 29 14:30:15 UTC 2023Certificate fingerprints: SHA1: D0:80:B9:77:80:F9:DA:FF:77:54:4F:36:B1:A8:03:6F:25:EE:1C:72 SHA256: 14:8C:CD:59:A9:C4:48:45:33:28:C3:AE:E7:6C:B6:1E:0A:F5:3B:9C:64:E5:BB:02:69:30:81:D9:6D:5F:06:ADSignature algorithm name: SHA256withRSASubject Public Key Algorithm: 2048-bit RSA keyVersion: 3
The-rfcflag can be used to return the encoded certificate data.
keytool -keystore /path/to/keystore.p12 -storetype pkcs12 -list -rfc
Did you find this article helpful?
If so, consider buying me a coffee over at