How to list the certificates stored in a PKCS12 keystore with keytool

Question

I wanted to list the certificates stored in a PKCS12 keystore    The keystore has the extension  pfx

User · Accepted Answer

If the keystore is PKCS12 type   pfx  you have to specify it with -storetype PKCS12  line breaks added for readability    keytool -list -v -keystore  lt path to keystore pfx gt        -storepass  lt password gt        -storetype PKCS12

User · Answer

You can also use openssl to accomplish the same thing     openssl pkcs12 -nokeys -info       -in  lt  path to file pfx gt        -passin pass  lt pfx s password gt   MAC Iteration 2048 MAC verified OK PKCS7 Encrypted data  pbeWithSHA1And40BitRC2-CBC  Iteration 2048 Certificate bag Bag Attributes     localKeyID  XX XX XX XX XX XX XX XX XX XX XX XX XX 48 54 A0 47 88 1D 90     friendlyName  jedis-server subject  C US ST NC L Raleigh O XXX Security OU XXX CN something1 issuer  C US ST NC L Raleigh O XXX Security OU XXXX CN something1 -----BEGIN CERTIFICATE-----             -----END CERTIFICATE----- PKCS7 Data Shrouded Keybag  pbeWithSHA1And3-KeyTripleDES-CBC  Iteration 2048

User · Answer

openssl pkcs12 -info -in keystore file

User · Answer

You can list down the entries  certificates details  with the keytool and even you don t need to mention the store type  keytool -list -v -keystore cert p12 -storepass  lt password gt    Keystore type  PKCS12  Keystore provider  SunJSSE   Your keystore contains 1 entry  Alias name  1  Creation date  Jul 11  2020  Entry type  PrivateKeyEntry  Certificate chain length  2

User · Answer

What is missing in the question and all the answers is that you might need the passphrase to read public data from the PKCS 12   pfx  keystore  If you need a passphrase or not depends on how the PKCS 12 file was created  You can check the ASN1 structure of the file  by running it through a ASN1 parser  openssl or certutil can do this too   if the PKCS 7 data  e g  OID prefix 1 2 840 113549 1 7  is listed as  encrypted  or with a cipher-spec or if the location of the data in the asn1 tree is below an encrypted node  you won t be able to read it without knowledge of the passphrase  It means your  openssl pkcs12  command will fail with errors  output depends on the version   For those wondering why you might be interested in the certificate of a PKCS 12 without knowledge of the passphrase  Imagine you have many keystores and many phassphrases and you are really bad at keeping them organized and you don t want to test all combinations  the certificate inside the file could help you find out which password it might be  Or you are developing software to migrate renew a keystore and you need to decide in advance which procedure to initiate based on the contained certicate without user interaction   So the latter examples work without passphrase depending on the PKCS 12 structure   Just wanted to add that  because I didn t find an answer myself and spend a lot of time to figure it out

[certificate] How to list the certificates stored in a PKCS12 keystore with keytool?

Examples related to certificate

Examples related to ssl-certificate

Examples related to keystore

Examples related to pkcs#12