PingDirectory

Listing the certificates in a keystore

List the certificates available in a keystore.

Steps

  • To list the certificates in a keystore, use the list-certificates subcommand.

    This subcommand requires you to specify the path to the keystore file, and possibly the password that is needed to access the keystore. The following options are also available:

    Option Description

    --alias {alias}

    Specifies the alias of the certificate to display. If this value is not provided, all certificates are displayed. To list more than one specific certificate, specify this value multiple times.

    --display-pem-certificate

    Includes a PEM-encoded representation of each certificate as part of the output.

    --verbose

    Includes details about each certificate.

    Example:

    The following command demonstrates the basic listing of a keystore that contains a single certificate chain.

    $ bin/manage-certificates list-certificates \
         --keystore config/keystore \
         --keystore-password-file config/keystore.pin
    
    Alias:  server-cert (Certificate 1 of 2 in a chain)
    Subject DN:  CN=ds1.example.com,O=Example Corp,C=US
    Issuer DN:  CN=Example Certification Authority,O=Example Corp,C=US
    Validity Start Time:  Saturday, November 9, 2019 at 11:26:09 AM CST
                         (8 minutes, 15 seconds ago)
    Validity End Time:  Sunday, November 8, 2020 at 11:26:09 AM CST
    (364 days, 23 hours, 51 minutes, 44 seconds from now)
    Validity State:  The certificate is currently within the validity window.
    Signature Algorithm:  SHA-256 with ECDSA
    Public Key Algorithm:  EC (secP256r1)
    SHA-1 Fingerprint: 42:f8:85:97:bf:88:bc:74:4b:5b:ce:0c:54:43:9b:44:6b:
                       81:23:a3
    SHA-256 Fingerprint: 4f:be:47:ed:36:68:13:38:ba:e8:c0:c5:6c:85:51:97:
                         8b:40:1b:76:10:c0:be:80:15:62:06:96:c5:71:30:df
    Private Key Available:  Yes
    The certificate has a valid signature.
    
    Alias:  server-cert (Certificate 2 of 2 in a chain)
    Subject DN:  CN=Example Certification Authority,O=Example Corp,C=US
    Issuer DN:  CN=Example Certification Authority,O=Example Corp,C=US
    Validity Start Time: Saturday, November 9, 2019 at 11:26:08 AM CST
                        (8 minutes, 16 seconds ago)
    Validity End Time: Friday, November 4, 2039 at 12:26:08 PM CDT
                       (7299 days, 23 hours, 51 minutes, 43 seconds from now)
    Validity State:  The certificate is currently within the validity window.
    Signature Algorithm:  SHA-256 with ECDSA
    Public Key Algorithm:  EC (secP256r1)
    SHA-1 Fingerprint: b8:d0:16:9b:5d:f2:e7:a1:80:79:95:a2:64:b5:aa:ad:80:
                       23:64:16
    SHA-256 Fingerprint: cf:98:2a:66:35:6e:6d:f9:5d:25:c6:68:68:04:5a:a8:
                         88:43:ca:b5:c8:e5:c9:95:09:e9:fc:ab:b9:41:ec:71
    The certificate has a valid signature.

    Example:

    The following sample represents the verbose version of the previous command.

    $ bin/manage-certificates list-certificates \
         --keystore config/keystore \
         --keystore-password-file config/keystore.pin \
         --verbose
    
    Alias:  server-cert (Certificate 1 of 2 in a chain)
    X.509 Certificate Version:  v3
    Subject DN:  CN=ds1.example.com,O=Example Corp,C=US
    Issuer DN:  CN=Example Certification Authority,O=Example Corp,C=US
    Serial Number:  7b:2d:91:6a:ff:51:4f:7a:19:16:26:4f:ce:cb:cb:31
    Validity Start Time:  Saturday, November 9, 2019 at 11:26:09 AM CST
    (9 minutes, 48 seconds ago)
    Validity End Time: Sunday, November 8, 2020 at 11:26:09 AM CST
                       (364 days, 23 hours, 50 minutes, 11 seconds from now)
    Validity State:  The certificate is currently within the validity window.
    Signature Algorithm:  SHA-256 with ECDSA
    Signature Value:
         30:46:02:21:00:cb:d5:5e:45:b2:8a:33:5e:2d:85:23:39:49:d1:3f:8f:dc:
         f8:9e:2f:f3:44:2f:41:0d:69:95:ec:f0:f5:c0:80:02:21:00:ef:8f:32:35:
         3c:88:f4:89:ed:f3:a6:76:
         bb:92:6c:eb:c6:17:ac:61:dc:67:26:f0:ec:67:90:51:28:a1:d0:d5
    Public Key Algorithm:  EC (secP256r1)
    Elliptic Curve Public Key Is Compressed:  false
    Elliptic Curve X-Coordinate:
       -242531537200112594084676766080816663423582032543698976420161979758741
       05796326
    Elliptic Curve Y-Coordinate:
       487227145385914945527872889161867481853236780821268431652936646431343
       52536146
    Certificate Extensions:
         Subject Key Identifier Extension:
              OID:  2.5.29.14
              Is Critical:  false
              Key Identifier:
                   21:ad:b9:7a:15:e4:08:13:05:e1:c2:64:0c:86:aa:9b:f0:4c:fb:a0
         Authority Key Identifier Extension:
              OID:  2.5.29.35
              Is Critical:  false
              Key Identifier:
                   01:4b:69:99:93:5f:76:51:39:95:61:cc:a9:a8:cb:16:f2:0f:8c:c8
         Subject Alternative Name Extension:
              OID:  2.5.29.17
              Is Critical:  false
              DNS Name:  ds1.example.com
              DNS Name:  ds.example.com
              DNS Name:  ldap.example.com
              DNS Name:  localhost
              IP Address:  127.0.0.1
              IP Address:  0:0:0:0:0:0:0:1
         Key Usage Extension:
              OID:  2.5.29.15
              Is Critical:  false
              Key Usages:
                   Digital Signature
                   Key Encipherment
                   Key Agreement
         Extended Key Usage Extension:
              OID:  2.5.29.37
              Is Critical:  false
              Key Purpose ID:  TLS Server Authentication
              Key Purpose ID:  TLS Client Authentication
    SHA-1 Fingerprint:
       42:f8:85:97:bf:88:bc:74:4b:5b:ce:0c:54:43:9b:44:6b:81:23:a3
    SHA-256 Fingerprint:
       4f:be:47:ed:36:68:13:38:ba:e8:c0:c5:6c:85:51:97:8b:40:1b:76:
       10:c0:be:80:15:62:06:96:c5:71:30:df
    Private Key Available:  Yes
    The certificate has a valid signature.
    
    Alias:  server-cert (Certificate 2 of 2 in a chain)
    X.509 Certificate Version:  v3
    Subject DN:  CN=Example Certification Authority,O=Example Corp,C=US
    Issuer DN:  CN=Example Certification Authority,O=Example Corp,C=US
    Serial Number:  43:b7:bb:0c:82:58:42:d8:06:fc:2a:f6:04:e8:2e:8c
    Validity Start Time: Saturday, November 9, 2019 at 11:26:08 AM CST
                         (9 minutes, 49 seconds ago)
    Validity End Time: Friday, November 4, 2039 at 12:26:08 PM CDT
                       (7299 days, 23 hours, 50 minutes, 10 seconds from now)
    Validity State:  The certificate is currently within the validity window.
    Signature Algorithm:  SHA-256 with ECDSA
    Signature Value:
         30:45:02:21:00:b9:87:50:5d:b7:6a:19:82:99:9b:aa:f1:5d:25:a1:90:3c:
         17:9d:7f:f5:7f:8d:06:b4:57:41:9e:15:c6:5a:af:02:20:0c:00:5e:17:bf:
         ca:bf:0b:ff:db:9f:dc:55:ad:35:eb:df:f6:37:4e:23:83:36:88:d2:cc:
         7d:9e:23:da:78:28
    Public Key Algorithm:  EC (secP256r1)
    Elliptic Curve Public Key Is Compressed:  false
    Elliptic Curve X-Coordinate:
       -2075310300192093905980033536741576173876470035377253976540506997872632403964
    Elliptic Curve Y-Coordinate:
       6707935650390842729237891844088941200265948573168357073736512795355450855373
    Certificate Extensions:
         Subject Key Identifier Extension:
              OID:  2.5.29.14
              Is Critical:  false
              Key Identifier:
                   01:4b:69:99:93:5f:76:51:39:95:61:cc:a9:a8:cb:16:f2:0f:8c:c8
         Basic Constraints Extension:
              OID:  2.5.29.19
              Is Critical:  false
              Is CA:  true
              Path Length Constraint:  0
         Key Usage Extension:
              OID:  2.5.29.15
              Is Critical:  false
              Key Usages:
                   Key Cert Sign
                   CRL Sign
    SHA-1 Fingerprint:  b8:d0:16:9b:5d:f2:e7:a1:80:79:95:a2:64:b5:aa:ad:80:23:64:16
    SHA-256 Fingerprint:
       cf:98:2a:66:35:6e:6d:f9:5d:25:c6:68:68:04:5a:a8:88:43:ca:b5:c8:e5:c9:95:09:
       e9:fc:ab:b9:41:ec:71
    The certificate has a valid signature.