Created Thursday 10/11/2005
This document describes certificate store management using the "keytool" provided with the Sun JDK. The keytool is a multi-purpose program that can be used to create certiciates, list the contents of certificate stores as well as for updating (importing) certificate stores.
keytool can support a variety of certificate stores, with the default being jks (java key store). ** check that other formats such as pkcs 7 and 12 are supported **
1. List contents
To list the contents of a certificate store (note the keytool asks for a password, but be aware that the keystrokes are echoed back to the terminal)
bash $ keytool -list -keystore keystore.jks
After entering the password, the keytool will print the certificate aliases and fingerprints to stdout. Example interaction and output:
bash $ keytool -list -keystore keystore.jks Enter keystore password: xxx
Keystore type: jks Keystore provider: SUN
Your keystore contains 1 entry
cu, 23/03/2004, keyEntry, Certificate fingerprint (MD5): 9C:F0:AD:69:D2:92:F0:61:59:CC:3D:A0:75:66:0F:C8
2. To extract a certificate from the keystore
The -extract option is used to export certificate entries from within the certificate store. The keystore type and the alias of the certificate must be provided. In addition, it's useful to provide an output filename, as output certificate is DER encoded, which can play havoc with the terminal.
bash $ keytool -export -keystore keystore.jks -alias cu -file cu.crt
The newly extract certificate than then be manipulated with (e.g.,) openssl. For example, to view the certificate text:
bash $ openssl x509 -inform DER -text -in cu.crt
Stuart Moorfoo 10 Nov 2005 mailto:foo@bund.com.au