Verify certificate on Java Certificate Store through CLI

Question

Verify certificate on Java Certificate Store through CLI

How can I verify an X509 certificate (or DER-formatted) in the Java certificate store through the command line?

I have studied the use of the keytool utility, but it looks like it only handles import / export / display functions (without checking).

EDIT: It looks like keytool can be used for verification, but only when trying to import. I believe that the best way to ask this question is whether there is a more passive approach (as in the case: without changing the keystore). Thanks!

+6

java certificate keystore verification keytool

Brian Jan 12 '09 at 23:03

source share

2 answers

You can use keytool to export necessary certificates (those that are in the chain for the one you need to verify) from the Java keystore to X.509 files. Then merge them together into one file. Finally, use openssl to verify.

 openssl verify -CAfile concatenated-certs.crt cert-to-verify.crt

Not an ideal solution, since it is associated with the emergence of certificates from a trust store, but it should work based on where you start.

+10

havanki4j Jan 23 '09 at 18:00

source share

bethlakshmi · Accepted Answer · 2009-01-14T17:12:52+0000

This page can be simplified:

http://java.sun.com/docs/books/tutorial/security/toolfilex/rstep1.html

But it does not look like even importing with keytool does a true certificate check. I do not see the description of the verification of the signature of the incoming certificate for signing another trusted certificate.

jarsigner will verify the signature on the signed bank, but does nothing to verify the signature in the certificate used to sign the bank.

I'm afraid you will have to either write a tool to fulfill the faith, or look for a commercial tool that does this. I would think that some of the PKI toolkits would have a certificate validation tool that would do this.

Verify certificate on Java Certificate Store through CLI

More articles: