radioAe6rt

Archive for May 2007

Using openssl for a closer look at certificates in JKS keystores

without comments

Sometimes we want a closer look at a certificate found in a JKS keystore. The JDK keytool command is useful for such a data dump, but does not always produce as much information as we may need. 

 $ keytool -v -list -keystore my.keystore -storepass thepass

Keystore type: jks
 Keystore provider: SUN

Your keystore contains 2 entries

Alias name: oponiaroot
 Creation date: May 4, 2007
 Entry type: trustedCertEntry

Owner: CN=Certificate Master, C=Canada, ST=Ontario, O=Oponia Networks Inc.
 Issuer: CN=Certificate Master, C=Canada, ST=Ontario, O=Oponia Networks Inc.
 Serial number: 1
 Valid from: Thu Jan 25 17:31:30 PST 2007 until: Wed Jan 25 17:31:30 PST 2017
 Certificate fingerprints:
          MD5:  36:F9:13:28:76:01:B1:41:D0:7E:09:EC:F1:BB:E4:50
          SHA1: 8F:8E:97:B6:8A:D8:68:73:AE:C5:49:BE:7D:2C:7E:8A:68:73:00:31



*******************************************
 *******************************************



Alias name: urn:jxta:uuid-abae7893abd6411a88a1983badcb684e3f5411baf94143d5ab8a9b6b2cd0760903
 Creation date: May 4, 2007
 Entry type: keyEntry
 Certificate chain length: 2
 Certificate[1]:
 Owner: OU=urn:jxta:uuid-ABAE7893ABD6411A88A1983BADCB684E3F5411BAF94143D5AB8A9B6B2CD0760903,
CN=ka0auh.oponia.net, O=Oponia Networks Inc.
 Issuer: CN=Certificate Master, C=Canada, ST=Ontario, O=Oponia Networks Inc.
 Serial number: 40
 Valid from: Fri May 04 14:55:09 PDT 2007 until: Mon May 04 14:55:09 PDT 2009
 Certificate fingerprints:
          MD5:  B3:3D:B8:81:1E:7A:79:21:3C:DE:83:48:A7:49:89:80
          SHA1: CA:7C:AB:41:26:FA:F6:98:A5:33:07:15:91:48:FB:66:39:58:D7:43
 Certificate[2]:
 Owner: CN=Certificate Master, C=Canada, ST=Ontario, O=Oponia Networks Inc.
 Issuer: CN=Certificate Master, C=Canada, ST=Ontario, O=Oponia Networks Inc.
 Serial number: 1
 Valid from: Thu Jan 25 17:31:30 PST 2007 until: Wed Jan 25 17:31:30 PST 2017
 Certificate fingerprints:
          MD5:  36:F9:13:28:76:01:B1:41:D0:7E:09:EC:F1:BB:E4:50
          SHA1: 8F:8E:97:B6:8A:D8:68:73:AE:C5:49:BE:7D:2C:7E:8A:68:73:00:31

To get a closer look at a particular certificate, we can use the openssl command line utility, found on most Unixes. First, choose a certificate to examine, and export it using keytool 

 $ keytool -export -alias urn:jxta:uuid-abae7893abd6411a88a1983badcb684e3f5411baf94143d5ab8a9b6b2cd0760903  \\
-keystore my.keystore -storepass thepass -file cert.cer
 Certificate stored in file <cert.cer>

Next, dump the certificate info using openssl 

 $ openssl x509 -text -in cert.cer -inform DER -noout

Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 64 (0x40)
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: O=Oponia Networks Inc., ST=Ontario, C=Canada, CN=Certificate Master
         Validity
             Not Before: May  4 21:55:09 2007 GMT
             Not After : May  4 21:55:09 2009 GMT
         Subject: O=Oponia Networks Inc., CN=ka0auh.oponia.net, OU=urn:jxta:uuid-ABAE7893ABD6411A88A1983BADCB684E3F5411BAF94143D5AB8A9B6B2CD0760903
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
             RSA Public Key: (1024 bit)
                 Modulus (1024 bit):
                     00:b6:2d:ea:88:51:5e:7a:5c:5d:a8:2f:0c:87:f5:
                     d3:19:b9:7a:9f:23:95:f2:24:ac:68:ff:b2:ad:2d:
                     d3:a6:81:30:ea:57:78:63:13:60:a8:18:06:d5:5c:
                     3a:0e:5b:02:03:e3:26:16:37:b8:e1:d1:1c:00:59:
                     14:02:64:b2:8e:20:3b:6a:93:45:6b:e6:24:b3:ec:
                     b0:b5:67:b7:c9:33:6b:c3:76:c0:79:ae:0a:0b:f9:
                     4c:04:be:a6:6f:1b:eb:6f:45:de:82:8b:8f:34:c5:
                     24:23:8a:9e:6a:1b:d1:76:04:23:af:c8:f4:d8:0d:
                     ee:9c:6c:99:4c:8c:a4:7d:fd
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: critical
                 CA:TRUE, pathlen:0
             X509v3 Subject Alternative Name:
                 email:mark at oponia.com
             X509v3 Authority Key Identifier:
                 keyid:8E:2D:8B:5D:E7:34:60:90:0D:AC:9E:2B:86:E4:A6:3C:E9:CF:6B:29
                 DirName:/O=Oponia Networks Inc./ST=Ontario/C=Canada/CN=Certificate Master
                 serial:01

            X509v3 Subject Key Identifier:
                 49:F8:FA:B3:9D:CA:7C:BC:8A:D4:20:F6:FD:D3:E9:FB:52:89:E3:08
     Signature Algorithm: sha256WithRSAEncryption
         36:c9:78:cb:d8:95:ff:d1:1a:db:97:a4:68:ab:11:20:a4:51:
         24:a5:28:f9:0d:06:bc:a1:27:c2:9e:5d:4a:4f:26:c1:62:1d:
         f4:95:91:48:5b:04:39:03:e5:04:ed:8f:f1:23:05:49:12:ae:
         80:c9:ec:69:2e:1c:be:19:26:cf:fb:6a:12:b1:fb:89:84:9d:
         5b:e6:56:17:b2:57:f1:c3:9a:b8:04:05:3d:b9:1a:1a:23:dc:
         b9:66:48:da:79:31:27:ed:f7:80:f1:b4:c3:52:cf:26:ea:64:
         af:33:cd:8a:6b:bb:ff:3d:f0:a4:82:32:16:16:5e:77:b9:c3:
         dc:2a

And that’s it. Deeper information on the certificate in just two commands.

[tags]openssl,jks[/tags]

Written by radioae6rt

May 4, 2007 at 7:02 pm

Posted in Internet