471

I have a bunch of .keystore files and need to find one with specific CN and alias. Is there a way to do it with keytool, jarsigner or some other tool? I found a way to check if specific keystore was used to sign a specific apk, but I also need to get the alias and certificate name in each of the files.

Malthan
  • 5,537
  • 3
  • 17
  • 21

7 Answers7

841

You can run the following command to list the content of your keystore file (and alias name):

keytool -v -list -keystore .keystore

If you are looking for a specific alias, you can also specify it in the command:

keytool -list -keystore .keystore -alias foo

If the alias is not found, it will display an exception:

keytool error: java.lang.Exception: Alias does not exist

Steven Mark Ford
  • 3,222
  • 17
  • 32
Romain Linsolas
  • 73,921
  • 45
  • 197
  • 265
  • 1
    Hi can I display the key alias password If I know the key alias name and have keystore certificate and keystore password – Prateek Aug 22 '13 at 07:22
  • 13
    @prateek You can't. There wouldn't be much point in having keystore or key passwords if you could just display then with a command-line tool. – user207421 Apr 17 '15 at 12:15
  • 3
    You can run the following command to list the content of your keystore file: keytool -list -keystore .keystore The above commond is not providing the name of alias – Manmohan Soni Jan 12 '18 at 07:52
  • 1
    @ManmohanSoni I have updated it to include -v argument which reveals the alias – Steven Mark Ford Mar 22 '18 at 05:18
  • 21
    I think that `/path/to/keystore` instead of `.keystore` would be more clear to the reader. Anyway it is the correct answer! – Andrea Jul 11 '18 at 14:09
  • Even if we don't enter password the command will show the content (despite of setting a password for keystore file)! Why??? – VahidShir May 07 '19 at 07:33
  • @VahidShir It doesn't show all the content unless you provide the password. Only the non-secret stuff. – user207421 Sep 09 '20 at 00:23
278

In order to get all the details I had to add the -v option to romaintaz answer:

keytool -v -list -keystore <FileName>.keystore
Waqas Raja
  • 10,322
  • 4
  • 31
  • 38
enkara
  • 5,509
  • 5
  • 30
  • 48
  • 10
    keytool -v -list -keystore .jks – piyush singh Aug 18 '16 at 08:45
  • 1
    keytool -v -list -keystore cacerts – Ankur Srivastava Jan 26 '17 at 21:26
  • 2
    "If the `-v` option is specified, then the certificate is printed in **human-readable format**, with additional information such as the owner, issuer, serial number, and any extensions." (see: [Java SE Tools Reference, Display Data command, -list option](https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html#keytool_option_list)) – Eido95 Aug 24 '17 at 12:46
70

You can run from Java code.

try {

        File file = new File(keystore location);
        InputStream is = new FileInputStream(file);
        KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
        String password = "password";
        keystore.load(is, password.toCharArray());


        Enumeration<String> enumeration = keystore.aliases();
        while(enumeration.hasMoreElements()) {
            String alias = enumeration.nextElement();
            System.out.println("alias name: " + alias);
            Certificate certificate = keystore.getCertificate(alias);
            System.out.println(certificate.toString());

        }

    } catch (java.security.cert.CertificateException e) {
        e.printStackTrace();
    } catch (NoSuchAlgorithmException e) {
        e.printStackTrace();
    } catch (FileNotFoundException e) {
        e.printStackTrace();
    } catch (KeyStoreException e) {
        e.printStackTrace();
    } catch (IOException e) {
        e.printStackTrace();
    }finally {
        if(null != is)
            try {
                is.close();
            } catch (IOException e) {
                // TODO Auto-generated catch block
                e.printStackTrace();
            }
    }

Certificate class holds all information about the keystore.

UPDATE- OBTAIN PRIVATE KEY

Key key = keyStore.getKey(alias, password.toCharArray());
String encodedKey = new Base64Encoder().encode(key.getEncoded());
System.out.println("key ? " + encodedKey);

@prateek Hope this is what you looking for!

Ilya Kharlamov
  • 2,956
  • 28
  • 30
Renjith
  • 2,918
  • 5
  • 40
  • 60
  • import java.io.File; import java.io.FileInputStream; import java.io.FileNotFoundException; import java.io.IOException; import java.security.cert.Certificate; import java.security.KeyStore; import java.security.KeyStoreException; import java.security.NoSuchAlgorithmException; import java.util.Enumeration; – ban-geoengineering Aug 06 '13 at 16:33
  • 1
    @Renjith hello This code displays everything except the password associated with alias, How can I display it . Please help me – Prateek Aug 22 '13 at 08:52
  • @Renjith `java.security.UnrecoverableKeyException` this is the exception thrown when I try this code actualy I want to retrieve alias password – Prateek Aug 22 '13 at 11:59
  • 2
    you should use the code snippet inside the aforementioned while loop – Renjith Aug 22 '13 at 12:00
  • 1
    I didnt have Base64Encoder class. Can you please tell me which jar file does it have? or is it a .java file? – Jack Mar 16 '16 at 06:35
  • So if i add a certificate into a Keystore, then i automatically get an alias? – Gobliins Apr 05 '17 at 08:12
  • This was a life saver for me. Comodo in their wisdom created an alias that showed up with a ? in middle. Like "mycompany's comodo id" . That ? turned out to be some kind of quote which does not show up on on my keyboard. I had to copy and paste the quote from the java output, and used that with keytool to make the alias something more usable. – Fred Andrews Dec 30 '18 at 05:54
58

KeyStore Explorer open source visual tool to manage keystores.

Ycnannamela
  • 581
  • 4
  • 2
  • This is close to a link-only answer. The policy is that you should post some information on how to use the tool/library in the answer itself. – user202729 Dec 10 '20 at 15:04
20

In a bash-like environment you can use:

keytool -list -v -keystore cacerts.jks | grep 'Alias name:' | grep -i foo

This command consist of 3 parts. As stated above, the 1st part will list all trusted certificates with all the details and that's why the 2nd part comes to filter only the alias information among those details. And finally in the 3rd part you can search for a specific alias (or part of it). The -i turns the case insensitive mode on. Thus the given command will yield all aliases containing the pattern 'foo', f.e. foo, 123_FOO, fooBar, etc. For more information man grep.

Svetoslav
  • 463
  • 5
  • 14
17

This will list all certificates:

keytool -list -keystore "$JAVA_HOME/jre/lib/security/cacerts"
Walk
  • 1,085
  • 13
  • 16
  • This will only list certificates stored in the JDK's trust store which is similar but for a different purpose to a keystore (which was asked about). There is a good differentiation here: [http://stackoverflow.com/questions/17935619/what-is-difference-between-cacerts-and-keystore](http://stackoverflow.com/questions/17935619/what-is-difference-between-cacerts-and-keystore). – David Levy Mar 19 '17 at 16:42
  • 1
    Passoword: changeit (default) – Milrak Pereira Pessoa Dec 07 '20 at 18:35
0

There are also console certificate manager written as a single-file shell script (open-source):

https://dev.to/sfkulyk/writing-panel-manager-for-certificate-keystore-in-linux-shell-187b

Can browse, copy, delete, rename and compare keystores.

Saboteur
  • 646
  • 1
  • 10