Listing the certificates in a key store
Use the list-certificates
subcommand to list the certificates in a key store.
You must specify the path to the key store file, and possibly the password needed to access the key store. Other options that are available include:
--alias
{alias}-
Specifies the alias of the certificate to display. If this is not provided, then all certificates are displayed. This can be provided multiple times to list multiple specific certificates.
--display-pem-certificate
-
Indicates that a PEM-encoded representation of each certificate should also be included as part of the output.
--verbose
-
Indicates that the listing should include more detailed information about each of the certificates.
For example, the following command demonstrates a basic listing of a key store containing a single certificate chain.
$ bin/manage-certificates list-certificates \
--keystore config/keystore \
--keystore-password-file config/keystore.pin
Alias: server-cert (Certificate 1 of 2 in a chain)
Subject DN: CN=ds1.example.com,O=Example Corp,C=US
Issuer DN: CN=Example Certification Authority,O=Example Corp,C=US
Validity Start Time: Saturday, November 9, 2019 at 11:26:09 AM CST (8 minutes, 15 seconds ago)
Validity End Time: Sunday, November 8, 2020 at 11:26:09 AM CST (364 days, 23 hours, 51 minutes, 44 seconds from now)
Validity State: The certificate is currently within the validity window.
Signature Algorithm: SHA-256 with ECDSA
Public Key Algorithm: EC (secP256r1)
SHA-1 Fingerprint: 42:f8:85:97:bf:88:bc:74:4b:5b:ce:0c:54:43:9b:44:6b:81:23:a3
SHA-256 Fingerprint: 4f:be:47:ed:36:68:13:38:ba:e8:c0:c5:6c:85:51:97:8b:40:1b:76:10:c0:be:80:15:62:06:96:c5:71:30:df
Private Key Available: Yes
The certificate has a valid signature.
Alias: server-cert (Certificate 2 of 2 in a chain)
Subject DN: CN=Example Certification Authority,O=Example Corp,C=US
Issuer DN: CN=Example Certification Authority,O=Example Corp,C=US
Validity Start Time: Saturday, November 9, 2019 at 11:26:08 AM CST (8 minutes, 16 seconds ago)
Validity End Time: Friday, November 4, 2039 at 12:26:08 PM CDT (7299 days, 23 hours, 51 minutes, 43 seconds from now)
Validity State: The certificate is currently within the validity window.
Signature Algorithm: SHA-256 with ECDSA
Public Key Algorithm: EC (secP256r1)
SHA-1 Fingerprint: b8:d0:16:9b:5d:f2:e7:a1:80:79:95:a2:64:b5:aa:ad:80:23:64:16
SHA-256 Fingerprint: cf:98:2a:66:35:6e:6d:f9:5d:25:c6:68:68:04:5a:a8:88:43:ca:b5:c8:e5:c9:95:09:e9:fc:ab:b9:41:ec:71
The certificate has a valid signature.
The following is the verbose version of the previous command.
$ bin/manage-certificates list-certificates \
--keystore config/keystore \
--keystore-password-file config/keystore.pin \
--verbose
Alias: server-cert (Certificate 1 of 2 in a chain)
X.509 Certificate Version: v3
Subject DN: CN=ds1.example.com,O=Example Corp,C=US
Issuer DN: CN=Example Certification Authority,O=Example Corp,C=US
Serial Number: 7b:2d:91:6a:ff:51:4f:7a:19:16:26:4f:ce:cb:cb:31
Validity Start Time: Saturday, November 9, 2019 at 11:26:09 AM CST (9 minutes, 48 seconds ago)
Validity End Time: Sunday, November 8, 2020 at 11:26:09 AM CST (364 days, 23 hours, 50 minutes, 11 seconds from now)
Validity State: The certificate is currently within the validity window.
Signature Algorithm: SHA-256 with ECDSA
Signature Value:
30:46:02:21:00:cb:d5:5e:45:b2:8a:33:5e:2d:85:23:39:49:d1:3f:8f:dc:f8:9e:2f:f3:
44:2f:41:0d:69:95:ec:f0:f5:c0:80:02:21:00:ef:8f:32:35:3c:88:f4:89:ed:f3:a6:76:
bb:92:6c:eb:c6:17:ac:61:dc:67:26:f0:ec:67:90:51:28:a1:d0:d5
Public Key Algorithm: EC (secP256r1)
Elliptic Curve Public Key Is Compressed: false
Elliptic Curve X-Coordinate: -24253153720011259408467676608081666342358203254369897642016197975874105796326
Elliptic Curve Y-Coordinate: 48722714538591494552787288916186748185323678082126843165293664643134352536146
Certificate Extensions:
Subject Key Identifier Extension:
OID: 2.5.29.14
Is Critical: false
Key Identifier:
21:ad:b9:7a:15:e4:08:13:05:e1:c2:64:0c:86:aa:9b:f0:4c:fb:a0
Authority Key Identifier Extension:
OID: 2.5.29.35
Is Critical: false
Key Identifier:
01:4b:69:99:93:5f:76:51:39:95:61:cc:a9:a8:cb:16:f2:0f:8c:c8
Subject Alternative Name Extension:
OID: 2.5.29.17
Is Critical: false
DNS Name: ds1.example.com
DNS Name: ds.example.com
DNS Name: ldap.example.com
Key Usage Extension:
OID: 2.5.29.15
Is Critical: false
Key Usages:
Digital Signature
Key Encipherment
Key Agreement
Extended Key Usage Extension:
OID: 2.5.29.37
Is Critical: false
Key Purpose ID: TLS Server Authentication
Key Purpose ID: TLS Client Authentication
SHA-1 Fingerprint: 42:f8:85:97:bf:88:bc:74:4b:5b:ce:0c:54:43:9b:44:6b:81:23:a3
SHA-256 Fingerprint: 4f:be:47:ed:36:68:13:38:ba:e8:c0:c5:6c:85:51:97:8b:40:1b:76:10:c0:be:80:15:62:06:96:c5:71:30:df
Private Key Available: Yes
The certificate has a valid signature.
Alias: server-cert (Certificate 2 of 2 in a chain)
X.509 Certificate Version: v3
Subject DN: CN=Example Certification Authority,O=Example Corp,C=US
Issuer DN: CN=Example Certification Authority,O=Example Corp,C=US
Serial Number: 43:b7:bb:0c:82:58:42:d8:06:fc:2a:f6:04:e8:2e:8c
Validity Start Time: Saturday, November 9, 2019 at 11:26:08 AM CST (9 minutes, 49 seconds ago)
Validity End Time: Friday, November 4, 2039 at 12:26:08 PM CDT (7299 days, 23 hours, 50 minutes, 10 seconds from now)
Validity State: The certificate is currently within the validity window.
Signature Algorithm: SHA-256 with ECDSA
Signature Value:
30:45:02:21:00:b9:87:50:5d:b7:6a:19:82:99:9b:aa:f1:5d:25:a1:90:3c:17:9d:7f:f5:
7f:8d:06:b4:57:41:9e:15:c6:5a:af:02:20:0c:00:5e:17:bf:ca:bf:0b:ff:db:9f:dc:55:
ad:35:eb:df:f6:37:4e:23:83:36:88:d2:cc:7d:9e:23:da:78:28
Public Key Algorithm: EC (secP256r1)
Elliptic Curve Public Key Is Compressed: false
Elliptic Curve X-Coordinate: -2075310300192093905980033536741576173876470035377253976540506997872632403964
Elliptic Curve Y-Coordinate: 6707935650390842729237891844088941200265948573168357073736512795355450855373
Certificate Extensions:
Subject Key Identifier Extension:
OID: 2.5.29.14
Is Critical: false
Key Identifier:
01:4b:69:99:93:5f:76:51:39:95:61:cc:a9:a8:cb:16:f2:0f:8c:c8
Basic Constraints Extension:
OID: 2.5.29.19
Is Critical: false
Is CA: true
Path Length Constraint: 0
Key Usage Extension:
OID: 2.5.29.15
Is Critical: false
Key Usages:
Key Cert Sign
CRL Sign
SHA-1 Fingerprint: b8:d0:16:9b:5d:f2:e7:a1:80:79:95:a2:64:b5:aa:ad:80:23:64:16
SHA-256 Fingerprint: cf:98:2a:66:35:6e:6d:f9:5d:25:c6:68:68:04:5a:a8:88:43:ca:b5:c8:e5:c9:95:09:e9:fc:ab:b9:41:ec:71
The certificate has a valid signature.