SyntaxFix

[certificate] How to list the certificates stored in a PKCS12 keystore with keytool?

I wanted to list the certificates stored in a PKCS12 keystore.

The keystore has the extension .pfx

This question is related to certificate ssl-certificate keystore pkcs#12

The answer is

What is missing in the question and all the answers is that you might need the passphrase to read public data from the PKCS#12 (.pfx) keystore. If you need a passphrase or not depends on how the PKCS#12 file was created. You can check the ASN1 structure of the file (by running it through a ASN1 parser, openssl or certutil can do this too), if the PKCS#7 data (e.g. OID prefix 1.2.840.113549.1.7) is listed as 'encrypted' or with a cipher-spec or if the location of the data in the asn1 tree is below an encrypted node, you won't be able to read it without knowledge of the passphrase. It means your 'openssl pkcs12' command will fail with errors (output depends on the version). For those wondering why you might be interested in the certificate of a PKCS#12 without knowledge of the passphrase. Imagine you have many keystores and many phassphrases and you are really bad at keeping them organized and you don't want to test all combinations, the certificate inside the file could help you find out which password it might be. Or you are developing software to migrate/renew a keystore and you need to decide in advance which procedure to initiate based on the contained certicate without user interaction. So the latter examples work without passphrase depending on the PKCS#12 structure.

Just wanted to add that, because I didn't find an answer myself and spend a lot of time to figure it out.

You can list down the entries (certificates details) with the keytool and even you don't need to mention the store type.

keytool -list -v -keystore cert.p12 -storepass <password>

 Keystore type: PKCS12
 Keystore provider: SunJSSE

 Your keystore contains 1 entry
 Alias name: 1
 Creation date: Jul 11, 2020
 Entry type: PrivateKeyEntry
 Certificate chain length: 2

You can also use openssl to accomplish the same thing:

$ openssl pkcs12 -nokeys -info \
    -in </path/to/file.pfx> \
    -passin pass:<pfx's password>

MAC Iteration 2048
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
    localKeyID: XX XX XX XX XX XX XX XX XX XX XX XX XX 48 54 A0 47 88 1D 90
    friendlyName: jedis-server
subject=/C=US/ST=NC/L=Raleigh/O=XXX Security/OU=XXX/CN=something1
issuer=/C=US/ST=NC/L=Raleigh/O=XXX Security/OU=XXXX/CN=something1
-----BEGIN CERTIFICATE-----
...
...
...
-----END CERTIFICATE-----
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048

openssl pkcs12 -info -in keystore_file

Source: Stackoverflow.com

Examples related to certificate

Distribution certificate / private key not installed When you use 'badidea' or 'thisisunsafe' to bypass a Chrome certificate/HSTS error, does it only apply for the current site? Cannot install signed apk to device manually, got error "App not installed" Using client certificate in Curl command Convert .cer certificate to .jks SSL cert "err_cert_authority_invalid" on mobile chrome only Android Studio - Unable to find valid certification path to requested target SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch Verify a certificate chain using openssl verify Import Certificate to Trusted Root but not to Personal [Command Line]

Examples related to ssl-certificate

How to install OpenSSL in windows 10? Scraping: SSL: CERTIFICATE_VERIFY_FAILED error for http://en.wikipedia.org Not able to install Python packages [SSL: TLSV1_ALERT_PROTOCOL_VERSION] Letsencrypt add domain to existing certificate javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure bypass invalid SSL certificate in .net core How to add Certificate Authority file in CentOS 7 How to use a client certificate to authenticate and authorize in a Web API This certificate has an invalid issuer Apple Push Services iOS9 getting error “an SSL error has occurred and a secure connection to the server cannot be made”

Examples related to keystore

What is difference between cacerts and keystore? Where is debug.keystore in Android Studio keytool error Keystore was tampered with, or password was incorrect How to add certificate chain to keystore? Default keystore file does not exist? How to list the certificates stored in a PKCS12 keystore with keytool? How to check certificate name and alias in keystore files? How to properly import a selfsigned certificate into Java keystore that is available to all Java applications by default? What certificates are trusted in truststore? Difference between .keystore file and .jks file

Examples related to pkcs#12

Creating a .p12 file Converting PKCS#12 certificate into PEM using OpenSSL How to list the certificates stored in a PKCS12 keystore with keytool? Extract public/private key from PKCS12 file for later use in SSH-PK-Authentication

Tags

Accordionpane Boxplot Drawing System.net Attributes Subclass Buttongroup Buildr Value-provider Tinypg Removing-whitespace Immediate-window Batch-file Optimistic-concurrency Scgi Httprequest Fire-and-forget Cgcontext Repaint Independentsoft Copy-assignment Yui-compressor Esql Truncated Mysql-error-1040 Perl-context Imagecreatefrompng User-controls Permission-denied Http-post Ado.net-entity-data-model Google-language-api Perl-module Zend-db Signing Jcanvas Office-interop Zend-session Asplinkbutton Viewcontroller Runspace Radwindow Call-hierarchy Filtering User-manual Android-contacts Onfling Net-use Eclipselink Install-sequence Tropo Nsfilemanager Truncate-log Bulksms Caching-proxy Avr-gcc Hessian Onpageloadstring Workflowservice Vb6 Rhomobile Turing-complete Autohotkey Fractals Code-size Mongrel-cluster Dead-reckoning Ora-06502 Label Crash-reports Command-execution Kconfig Missingmethodexception Nunit-console Image-scaling Expression-web Templatetag Second-level-cache Reentrancy Hardware Simulated-annealing Buttonbar Yui-uploader Modelmetadata Ascii-art Actionscript Soapui Triggers Location Nolock Windowsphotogallery Fsync Csv Winforms Objectoutputstream Shapefile Atan2 Inherited Android-layout Move-semantics