Page created: 4 Feb 2020
|
Page updated: 22 Jul 2020
To list the certificates in a keystore, use the list-certificates subcommand. This subcommand requires you to specify the path to the keystore file, and possibly the password that is needed to access the keystore. The following options are also available:
- --alias {alias} – Specifies the alias of the certificate to display. If this value is not provided, all certificates are displayed. To list more than one specific certificate, specify this value multiple times.
- --display-pem-certificate – Includes a PEM-encoded representation of each certificate as part of the output.
- --verbose – Includes details about each certificate.
The following command demonstrates the basic listing of a keystore that contains a single certificate chain:
$ bin/manage-certificates list-certificates \
--keystore config/keystore \
--keystore-password-file config/keystore.pin
Alias: server-cert (Certificate 1 of 2 in a chain)
Subject DN: CN=ds1.example.com,O=Example Corp,C=US
Issuer DN: CN=Example Certification Authority,O=Example Corp,C=US
Validity Start Time: Saturday, November 9, 2019 at 11:26:09 AM CST
(8 minutes, 15 seconds ago)
Validity End Time: Sunday, November 8, 2020 at 11:26:09 AM CST
(364 days, 23 hours, 51 minutes, 44 seconds from now)
Validity State: The certificate is currently within the validity window.
Signature Algorithm: SHA-256 with ECDSA
Public Key Algorithm: EC (secP256r1)
SHA-1 Fingerprint: 42:f8:85:97:bf:88:bc:74:4b:5b:ce:0c:54:43:9b:44:6b:
81:23:a3
SHA-256 Fingerprint: 4f:be:47:ed:36:68:13:38:ba:e8:c0:c5:6c:85:51:97:
8b:40:1b:76:10:c0:be:80:15:62:06:96:c5:71:30:df
Private Key Available: Yes
The certificate has a valid signature.
Alias: server-cert (Certificate 2 of 2 in a chain)
Subject DN: CN=Example Certification Authority,O=Example Corp,C=US
Issuer DN: CN=Example Certification Authority,O=Example Corp,C=US
Validity Start Time: Saturday, November 9, 2019 at 11:26:08 AM CST
(8 minutes, 16 seconds ago)
Validity End Time: Friday, November 4, 2039 at 12:26:08 PM CDT
(7299 days, 23 hours, 51 minutes, 43 seconds from now)
Validity State: The certificate is currently within the validity window.
Signature Algorithm: SHA-256 with ECDSA
Public Key Algorithm: EC (secP256r1)
SHA-1 Fingerprint: b8:d0:16:9b:5d:f2:e7:a1:80:79:95:a2:64:b5:aa:ad:80:
23:64:16
SHA-256 Fingerprint: cf:98:2a:66:35:6e:6d:f9:5d:25:c6:68:68:04:5a:a8:
88:43:ca:b5:c8:e5:c9:95:09:e9:fc:ab:b9:41:ec:71
The certificate has a valid signature.
The following sample represents the verbose version of the previous command:
$ bin/manage-certificates list-certificates \
--keystore config/keystore \
--keystore-password-file config/keystore.pin \
--verbose
Alias: server-cert (Certificate 1 of 2 in a chain)
X.509 Certificate Version: v3
Subject DN: CN=ds1.example.com,O=Example Corp,C=US
Issuer DN: CN=Example Certification Authority,O=Example Corp,C=US
Serial Number: 7b:2d:91:6a:ff:51:4f:7a:19:16:26:4f:ce:cb:cb:31
Validity Start Time: Saturday, November 9, 2019 at 11:26:09 AM CST
(9 minutes, 48 seconds ago)
Validity End Time: Sunday, November 8, 2020 at 11:26:09 AM CST
(364 days, 23 hours, 50 minutes, 11 seconds from now)
Validity State: The certificate is currently within the validity window.
Signature Algorithm: SHA-256 with ECDSA
Signature Value:
30:46:02:21:00:cb:d5:5e:45:b2:8a:33:5e:2d:85:23:39:49:d1:3f:8f:dc:
f8:9e:2f:f3:44:2f:41:0d:69:95:ec:f0:f5:c0:80:02:21:00:ef:8f:32:35:
3c:88:f4:89:ed:f3:a6:76:
bb:92:6c:eb:c6:17:ac:61:dc:67:26:f0:ec:67:90:51:28:a1:d0:d5
Public Key Algorithm: EC (secP256r1)
Elliptic Curve Public Key Is Compressed: false
Elliptic Curve X-Coordinate:
-242531537200112594084676766080816663423582032543698976420161979758741
05796326
Elliptic Curve Y-Coordinate:
487227145385914945527872889161867481853236780821268431652936646431343
52536146
Certificate Extensions:
Subject Key Identifier Extension:
OID: 2.5.29.14
Is Critical: false
Key Identifier:
21:ad:b9:7a:15:e4:08:13:05:e1:c2:64:0c:86:aa:9b:f0:4c:fb:a0
Authority Key Identifier Extension:
OID: 2.5.29.35
Is Critical: false
Key Identifier:
01:4b:69:99:93:5f:76:51:39:95:61:cc:a9:a8:cb:16:f2:0f:8c:c8
Subject Alternative Name Extension:
OID: 2.5.29.17
Is Critical: false
DNS Name: ds1.example.com
DNS Name: ds.example.com
DNS Name: ldap.example.com
DNS Name: localhost
IP Address: 127.0.0.1
IP Address: 0:0:0:0:0:0:0:1
Key Usage Extension:
OID: 2.5.29.15
Is Critical: false
Key Usages:
Digital Signature
Key Encipherment
Key Agreement
Extended Key Usage Extension:
OID: 2.5.29.37
Is Critical: false
Key Purpose ID: TLS Server Authentication
Key Purpose ID: TLS Client Authentication
SHA-1 Fingerprint:
42:f8:85:97:bf:88:bc:74:4b:5b:ce:0c:54:43:9b:44:6b:81:23:a3
SHA-256 Fingerprint:
4f:be:47:ed:36:68:13:38:ba:e8:c0:c5:6c:85:51:97:8b:40:1b:76:
10:c0:be:80:15:62:06:96:c5:71:30:df
Private Key Available: Yes
The certificate has a valid signature.
Alias: server-cert (Certificate 2 of 2 in a chain)
X.509 Certificate Version: v3
Subject DN: CN=Example Certification Authority,O=Example Corp,C=US
Issuer DN: CN=Example Certification Authority,O=Example Corp,C=US
Serial Number: 43:b7:bb:0c:82:58:42:d8:06:fc:2a:f6:04:e8:2e:8c
Validity Start Time: Saturday, November 9, 2019 at 11:26:08 AM CST
(9 minutes, 49 seconds ago)
Validity End Time: Friday, November 4, 2039 at 12:26:08 PM CDT
(7299 days, 23 hours, 50 minutes, 10 seconds from now)
Validity State: The certificate is currently within the validity window.
Signature Algorithm: SHA-256 with ECDSA
Signature Value:
30:45:02:21:00:b9:87:50:5d:b7:6a:19:82:99:9b:aa:f1:5d:25:a1:90:3c:
17:9d:7f:f5:7f:8d:06:b4:57:41:9e:15:c6:5a:af:02:20:0c:00:5e:17:bf:
ca:bf:0b:ff:db:9f:dc:55:ad:35:eb:df:f6:37:4e:23:83:36:88:d2:cc:
7d:9e:23:da:78:28
Public Key Algorithm: EC (secP256r1)
Elliptic Curve Public Key Is Compressed: false
Elliptic Curve X-Coordinate:
-2075310300192093905980033536741576173876470035377253976540506997872632403964
Elliptic Curve Y-Coordinate:
6707935650390842729237891844088941200265948573168357073736512795355450855373
Certificate Extensions:
Subject Key Identifier Extension:
OID: 2.5.29.14
Is Critical: false
Key Identifier:
01:4b:69:99:93:5f:76:51:39:95:61:cc:a9:a8:cb:16:f2:0f:8c:c8
Basic Constraints Extension:
OID: 2.5.29.19
Is Critical: false
Is CA: true
Path Length Constraint: 0
Key Usage Extension:
OID: 2.5.29.15
Is Critical: false
Key Usages:
Key Cert Sign
CRL Sign
SHA-1 Fingerprint: b8:d0:16:9b:5d:f2:e7:a1:80:79:95:a2:64:b5:aa:ad:80:23:64:16
SHA-256 Fingerprint:
cf:98:2a:66:35:6e:6d:f9:5d:25:c6:68:68:04:5a:a8:88:43:ca:b5:c8:e5:c9:95:09:
e9:fc:ab:b9:41:ec:71
The certificate has a valid signature.