How to check certificate name and alias in keystore files?

Question

I have a bunch of .keystore files and need to find one with specific CN and alias. Is there a way to do it with keytool, jarsigner or some other tool? I found a way to check if specific keystore was used to sign a specific apk, but I also need to get the alias and certificate name in each of the files.

score 1109 · Accepted Answer · edited Apr 19 '23 at 12:24

1109

You can run the following command to list the content of your keystore file (and alias name):

keytool -v -list -keystore /path/to/keystore

If you are looking for a specific alias (for example foo), you can also specify it in the command:

keytool -list -keystore /path/to/keystore -alias foo

If the alias is not found, it will display an exception:

keytool error: java.lang.Exception: Alias does not exist

edited Apr 19 '23 at 12:24

Saifallak

1,234
2
13
28

answered Oct 15 '12 at 11:08

Romain Linsolas

79,475
49
202
273

1

Hi can I display the key alias password If I know the key alias name and have keystore certificate and keystore password – Prateek Aug 22 '13 at 07:22
23

@prateek You can't. There wouldn't be much point in having keystore or key passwords if you could just display then with a command-line tool. – user207421 Apr 17 '15 at 12:15
3

You can run the following command to list the content of your keystore file: keytool -list -keystore .keystore The above commond is not providing the name of alias – Manmohan Soni Jan 12 '18 at 07:52
1

@ManmohanSoni I have updated it to include -v argument which reveals the alias – Steven Mark Ford Mar 22 '18 at 05:18
46

I think that `/path/to/keystore` instead of `.keystore` would be more clear to the reader. Anyway it is the correct answer! – Andrea Jul 11 '18 at 14:09
Even if we don't enter password the command will show the content (despite of setting a password for keystore file)! Why??? – VahidShir May 07 '19 at 07:33
@VahidShir It doesn't show all the content unless you provide the password. Only the non-secret stuff. – user207421 Sep 09 '20 at 00:23
In answer to @Prateek if you used a GUI and entered only a keystore pass, the alias pass will be the same. Just come unstuck myself as a Xamarin user. – Tyeth Mar 16 '22 at 17:35

score 311 · Answer 2 · edited Jul 07 '15 at 18:18

311

In order to get all the details I had to add the -v option to romaintaz answer:

keytool -v -list -keystore <FileName>.keystore

edited Jul 07 '15 at 18:18

Waqas Raja

10,802
4
33
38

answered Apr 17 '15 at 11:57

enkara

6,189
6
34
52

10

keytool -v -list -keystore .jks – piyush singh Aug 18 '16 at 08:45
1

keytool -v -list -keystore cacerts – Ankur Srivastava Jan 26 '17 at 21:26
2

"If the `-v` option is specified, then the certificate is printed in **human-readable format**, with additional information such as the owner, issuer, serial number, and any extensions." (see: [Java SE Tools Reference, Display Data command, -list option](https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html#keytool_option_list)) – Eido95 Aug 24 '17 at 12:46

score 80 · Answer 3 · edited Jan 15 '19 at 07:27

80

You can run from Java code.

try {

        File file = new File(keystore location);
        InputStream is = new FileInputStream(file);
        KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
        String password = "password";
        keystore.load(is, password.toCharArray());


        Enumeration<String> enumeration = keystore.aliases();
        while(enumeration.hasMoreElements()) {
            String alias = enumeration.nextElement();
            System.out.println("alias name: " + alias);
            Certificate certificate = keystore.getCertificate(alias);
            System.out.println(certificate.toString());

        }

    } catch (java.security.cert.CertificateException e) {
        e.printStackTrace();
    } catch (NoSuchAlgorithmException e) {
        e.printStackTrace();
    } catch (FileNotFoundException e) {
        e.printStackTrace();
    } catch (KeyStoreException e) {
        e.printStackTrace();
    } catch (IOException e) {
        e.printStackTrace();
    }finally {
        if(null != is)
            try {
                is.close();
            } catch (IOException e) {
                // TODO Auto-generated catch block
                e.printStackTrace();
            }
    }

Certificate class holds all information about the keystore.

UPDATE- OBTAIN PRIVATE KEY

Key key = keyStore.getKey(alias, password.toCharArray());
String encodedKey = new Base64Encoder().encode(key.getEncoded());
System.out.println("key ? " + encodedKey);

@prateek Hope this is what you looking for!

edited Jan 15 '19 at 07:27

Ilya Kharlamov

3,698
1
31
33

answered Oct 15 '12 at 11:29

Renjith

3,457
5
46
67

import java.io.File; import java.io.FileInputStream; import java.io.FileNotFoundException; import java.io.IOException; import java.security.cert.Certificate; import java.security.KeyStore; import java.security.KeyStoreException; import java.security.NoSuchAlgorithmException; import java.util.Enumeration; – ban-geoengineering Aug 06 '13 at 16:33
1

@Renjith hello This code displays everything except the password associated with alias, How can I display it . Please help me – Prateek Aug 22 '13 at 08:52
@Renjith `java.security.UnrecoverableKeyException` this is the exception thrown when I try this code actualy I want to retrieve alias password – Prateek Aug 22 '13 at 11:59
2

you should use the code snippet inside the aforementioned while loop – Renjith Aug 22 '13 at 12:00
1

I didnt have Base64Encoder class. Can you please tell me which jar file does it have? or is it a .java file? – Jack Mar 16 '16 at 06:35
So if i add a certificate into a Keystore, then i automatically get an alias? – Gobliins Apr 05 '17 at 08:12
This was a life saver for me. Comodo in their wisdom created an alias that showed up with a ? in middle. Like "mycompany's comodo id" . That ? turned out to be some kind of quote which does not show up on on my keyboard. I had to copy and paste the quote from the java output, and used that with keytool to make the alias something more usable. – Fred Andrews Dec 30 '18 at 05:54

score 64 · Answer 4 · edited Dec 23 '22 at 17:03

64

KeyStore Explorer open source visual tool to manage keystores.

edited Dec 23 '22 at 17:03

Keashan

35
1
3
7

answered Feb 18 '14 at 14:13

Ycnannamela

649
5
2

This is close to a link-only answer. The policy is that you should post some information on how to use the tool/library in the answer itself. – user202729 Dec 10 '20 at 15:04
dead link, this is why link only answer is terrible – Trong Nguyen Nov 30 '22 at 10:17

score 28 · Answer 5 · answered Nov 01 '16 at 11:52

In a bash-like environment you can use:

keytool -list -v -keystore cacerts.jks | grep 'Alias name:' | grep -i foo

This command consist of 3 parts. As stated above, the 1st part will list all trusted certificates with all the details and that's why the 2nd part comes to filter only the alias information among those details. And finally in the 3rd part you can search for a specific alias (or part of it). The -i turns the case insensitive mode on. Thus the given command will yield all aliases containing the pattern 'foo', f.e. foo, 123_FOO, fooBar, etc. For more information man grep.

score 23 · Answer 6 · answered Mar 19 '17 at 15:30

23

This will list all certificates:

keytool -list -keystore "$JAVA_HOME/jre/lib/security/cacerts"

answered Mar 19 '17 at 15:30

Walk

1,531
17
21

This will only list certificates stored in the JDK's trust store which is similar but for a different purpose to a keystore (which was asked about). There is a good differentiation here: [http://stackoverflow.com/questions/17935619/what-is-difference-between-cacerts-and-keystore](http://stackoverflow.com/questions/17935619/what-is-difference-between-cacerts-and-keystore). – David Levy Mar 19 '17 at 16:42
1

Passoword: changeit (default) – Milrak Pereira Pessoa Dec 07 '20 at 18:35

score 10 · Answer 7 · answered Jan 24 '22 at 22:14

cmd:

keytool -list -keystore 'keystoreName'

and then press 'Enter' the cmd will then prompt you to enter the keystore password

cmd doesn't show the password on the screen while typing so just type the correct passwd -and be careful- then press enter again.

Or You can use:

keytool -list -keystore 'keystoreName' -storepass 'type your keystore passwd'

and for Keys' full info, just add -v:

keytool -v -list -keystore 'keystoreName' -storepass 'type your keystore passwd'

score 6 · Answer 8 · answered Sep 01 '21 at 12:46

6

On Windows:

keytool -v -list -keystore my_keystore | findstr my_string

Reference:

CMD Search a directory to Find a string inside a file

answered Sep 01 '21 at 12:46

Matheus Santz

538
6
7

score 3 · Answer 9 · answered Jul 14 '22 at 05:05

3

we can get the list of Certificates from Certs with simple command and search for your alias name in the resulted output.

keytool -list -keystore C:/swdtools/jdk1.7.0_67/jre/lib/security/cacerts

answered Jul 14 '22 at 05:05

Lova Chittumuri

2,994
1
30
33

score 2 · Answer 10 · answered Mar 25 '21 at 16:04

2

There are also console certificate manager written as a single-file shell script (open-source):

https://dev.to/sfkulyk/writing-panel-manager-for-certificate-keystore-in-linux-shell-187b

Can browse, copy, delete, rename and compare keystores.

answered Mar 25 '21 at 16:04

Saboteur

1,331
5
12

1

OMG! This is a masterpiece! Tremendous! – igorp1024 Jul 08 '23 at 13:54

score 2 · Answer 11 · answered Nov 30 '21 at 10:02

2

If you get a warning

Warning: use -cacerts option to access cacerts keystore

then you may use this command

.\keytool.exe -list -cacerts

answered Nov 30 '21 at 10:02

Jaydeep Soni

488
1
8
19

1

Not sure why this was downvoted.but it was helpful. – granadaCoder Jan 26 '22 at 14:44

sri e · Answer 12 · 2023-04-18T12:44:21.357

1

keytool -v -list -cacerts -alias cert1

This worked for me when I am checking for the certificate added to jdk-11 with alias name and check if it was added on windows machine

edited Apr 18 '23 at 12:44

answered Feb 23 '22 at 18:12

sri e

49
1
5

How to check certificate name and alias in keystore files?

12 Answers12

Linked

Related