About manage-certificates check-certificate-usability
The manage-certificates
tool offers a check-certificate-usability
subcommand to examine a specified entry in a key store and to identify potential issues that might interfere with secure communication.
The check-certificate-usability
tool completes the following tasks:
-
Ensures that a specified entry in the key store includes a private key and a complete certificate chain
-
Checks whether the certificate at the root of the chain is found in the Java virtual machine’s (JVM’s) default set of trusted certificates
-
Ensures that the current time lies is within the validity window for all certificates in the chain
-
Validates the signatures for all certificates in the chain
-
Warns if the end-entity certificate is self-signed
-
Warns if the end-entity certificate does not contain an extended key usage extension with the
serverAuth
usage -
Warns if the issuer certificates do not have a key usage extension with the
keyCertSign
usage -
Warns if the issuer certificates do not have a basic constraints extension indicating that it can operate as a certification authority
If the chain violates a path length constraint, the
check-certificate-usability
tool reports an error. -
Ensures that the signature algorithm uses a strong message digest algorithm, like SHA-256
The
check-certificate-usability
tool reports an error for weak digest algorithms like MD5 or SHA-1, and reports a warning for unrecognized digest algorithms. -
Ensures that none of the certificates that use an RSA key pair have a key size less than 2048 bits
The following example demonstrates the usage for the manage-certificates check-certificate-usability
command and its output when no problems are identified.
$ bin/manage-certificates check-certificate-usability \
--keystore config/keystore \
--keystore-password-file config/keystore.pin \
--alias server-cert
Successfully retrieved the certificate chain for alias 'server-cert':
Subject DN: CN=ds1.example.com,O=Example Corp,C=US
Issuer DN: CN=Example Intermediate CA,O=Example Corp,C=US
Validity Start Time: Tuesday, November 12, 2019 at 03:52:44 PM CST
(5 minutes, 45 seconds ago)
Validity End Time: Wednesday, November 11, 2020 at 03:52:44 PM CST
(364 days, 23 hours, 54 minutes, 14 seconds from now)
Validity State: The certificate is currently within the validity window.
Signature Algorithm: SHA-256 with RSA
Public Key Algorithm: RSA (2048-bit)
SHA-1 Fingerprint: 84:e4:00:b9:f0:6b:58:bb:ac:67:79:28:2f:43:9f:e3:ac:24:ee:98
SHA-256 Fingerprint: 63:85:4d:2c:50:ea:a8:84:54:e0:73:9a:e7:5b:e7:1b:06:85:0e:
28:2b:76:a9:8b:57:fc:27:f7:60:81:48:41
Subject DN: CN=Example Intermediate CA,O=Example Corp,C=US
Issuer DN: CN=Example Root CA,O=Example Corp,C=US
Validity Start Time: Tuesday, November 12, 2019 at 03:52:42 PM CST
(5 minutes, 47 seconds ago)
Validity End Time: Monday, November 7, 2039 at 03:52:42 PM CST
(7299 days, 23 hours, 54 minutes, 12 seconds from now)
Validity State: The certificate is currently within the validity window.
Signature Algorithm: SHA-256 with RSA
Public Key Algorithm: RSA (4096-bit)
SHA-1 Fingerprint: de:da:3d:fc:d4:1f:67:79:0a:a1:5a:cd:ca:4a:7e:a5:d3:46:88:27
SHA-256 Fingerprint:
02:3c:af:ad:b7:07:81:89:45:48:d0:09:31:a8:90:c4:17:11:1c:00:11:fd:49:b2:2c:
ba:ac:dd:c4:9f:03:36
Subject DN: CN=Example Root CA,O=Example Corp,C=US
Issuer DN: CN=Example Root CA,O=Example Corp,C=US
Validity Start Time: Tuesday, November 12, 2019 at 03:52:38 PM CST
(5 minutes, 51 seconds ago)
Validity End Time: Monday, November 7, 2039 at 03:52:38 PM CST
(7299 days, 23 hours, 54 minutes, 8 seconds from now)
Validity State: The certificate is currently within the validity window.
Signature Algorithm: SHA-256 with RSA
Public Key Algorithm: RSA (4096-bit)
SHA-1 Fingerprint: 8e:03:e4:58:e6:e3:59:9a:55:77:c0:88:3c:fa:d7:29:f4:ff:de:6c
SHA-256 Fingerprint: 95:54:0d:e2:aa:48:29:c1:25:7c:20:69:c0:27:33:31:81:07:02:
2e:00:24:ae:49:5e:98:bd:a3:72:a5:05:26
OK: The certificate chain is complete. Each subsequent certificate is
the issuer for the previous certificate in the chain, and the chain ends
with a self-signed certificate.
OK: Certificate 'CN=ds1.example.com,O=Example Corp,C=US' has a valid
signature.
OK: Certificate 'CN=Example Intermediate CA,O=Example Corp,C=US' has a
valid signature.
OK: Certificate 'CN=Example Root CA,O=Example Corp,C=US' has a valid
signature.
OK: Certificate 'CN=ds1.example.com,O=Example Corp,C=US' will expire at
Wednesday, November 11, 2020 at 03:52:44 PM CST (364 days, 23 hours, 54
minutes, 14 seconds from now), which is not in the near future.
OK: Issuer certificate 'CN=Example Intermediate CA,O=Example Corp,C=US'
will expire at Monday, November 7, 2039 at 03:52:42 PM CST (7299 days, 23
hours, 54 minutes, 12 seconds from now), which is not in the near future.
OK: Issuer certificate 'CN=Example Root CA,O=Example Corp,C=US' will
expire at Monday, November 7, 2039 at 03:52:38 PM CST (7299 days, 23
hours, 54 minutes, 8 seconds from now), which is not in the near future.
OK: Certificate 'CN=ds1.example.com,O=Example Corp,C=US' at the head of
the chain includes an extended key usage extension, and that extension
includes the serverAuth usage.
OK: Issuer certificate 'CN=Example Intermediate CA,O=Example Corp,C=US'
includes a basic constraints extension, and the certificate chain
satisfies those constraints.
OK: Issuer certificate 'CN=Example Intermediate CA,O=Example Corp,C=US'
includes a key usage extension with the keyCertSign usage flag set to
true.
OK: Issuer certificate 'CN=Example Root CA,O=Example Corp,C=US' includes
a basic constraints extension, and the certificate chain satisfies those
constraints.
OK: Issuer certificate 'CN=Example Root CA,O=Example Corp,C=US' includes
a key usage extension with the keyCertSign usage flag set to true.
OK: Certificate 'CN=ds1.example.com,O=Example Corp,C=US' uses a signature
algorithm of 'SHA-256 with RSA', which is is considered strong.
OK: Certificate 'CN=Example Intermediate CA,O=Example Corp,C=US' uses a
signature algorithm of 'SHA-256 with RSA', which is is considered strong.
OK: Certificate 'CN=Example Root CA,O=Example Corp,C=US' uses a signature
algorithm of 'SHA-256 with RSA', which is is considered strong.
OK: Certificate 'CN=ds1.example.com,O=Example Corp,C=US' has a 2048-bit
RSA public key, which is considered strong.
OK: Certificate 'CN=Example Intermediate CA,O=Example Corp,C=US' has a
4096-bit RSA public key, which is considered strong.
OK: Certificate 'CN=Example Root CA,O=Example Corp,C=US' has a 4096-bit
RSA public key, which is considered strong.
No usability errors or warnings were identified while validating the
certificate chain.
If any usability issues are identified, they might be responsible for communication problems.