3

Using keytool command or some other non-programmatic way I want to check whether given certificate is present in Java's keystore or not. I know programmatic way but I want to achieve same from either keytool command or some other non-programmatic way. I know how to view certificates in present in keystore, checking their alias etc. but all this doesn't help me to ensure that given certificate is present in keystore. Is there any way?

I have already read this question and these are not duplicated because that is to check "certificate name and alias in keystore files", I don't want to check that, I want to ensure that given certificate is present in keystore so that my communication will be successful when I communicate with the server which will return the given certificate; a given certificate could have same alias but its finger print would be different if it is not same certificate.

Community
  • 1
  • 1
pjj
  • 1,679
  • 10
  • 28
  • @acm No it is not, that question is to check "certificate name and alias in keystore files", I want to ensure that given certificate is present in keystore, a given certificate could have same alias but its finger print would be different if it is not same certificate. – pjj Feb 08 '17 at 19:10
  • Do you want to know whether the certificate is present under a particular alias, or do you want to know whether the certificate is present under any of the keystore’s aliases? – VGR Feb 08 '17 at 19:53
  • @VGR I have a keystore and it has certificates of server with whom I do SSL communication, now I have got another server with whom I want to communicate over HTTPS, that server provided me their SSL certs, now I want to check whether certs of their root CA is present in my keystore or not? (certainly their SSL certs will not be present in my truststore and neither I want to add main server certs, I always add the root or intermediate CA certs), so that I would know whether my SSL communication with them will be successful or not. Please let me know if I am not clear and you need too know more. – pjj Mar 05 '17 at 13:55
  • @VGR Could you please find some time to let me know answer of my above follow up question. – pjj Mar 05 '17 at 13:55
  • I believe the linked duplicate question still answers your problem. Notice that one of the answers recommends using keytool’s `-v` option, which lets you examine every existing certificate’s fingerprint. – VGR Mar 05 '17 at 16:10
  • @VGR: Oh ok, that's what I wanted to know, so it is the finger print I should match? If finger print of 2 certificates are matching then it means those 2 certificates are same? Is there any other factor or property which contributes in deciding whether 2 SSL certificates are same or not? – pjj Mar 06 '17 at 00:13
  • I’m not certain, but I think if they have the same CN and the same fingerprint, they are likely the same certificate. – VGR Mar 06 '17 at 01:07
  • @VGR Ok, thank you for your inputs. That's the reason my question is not duplicate of that question, I had clearly mentioned my question and that it wouldn't be a duplicate but still someone marked it as duplicate, since it is closed so now nobody will look into it, I don't know how I will get answer to my question. – pjj Mar 06 '17 at 13:21
  • I have voted to reopen this question because the proposed answer does not in fact answer the question. Searching by alias in the keystore does not tell me if I already have a given certificate authority that might just as well be under another name/alias. – Edwin Dalorzo Jul 08 '20 at 22:43

2 Answers2

2

You don't need to check first. If you do keytool -importcert and the cert is already present (under any alias) keytool tells you

 Certificate already exists in keystore under alias <whatever>
 Do you still want to add it? [no]:

Simply hit return or EOF -- or supply this by piping from echo or redirecting from /dev/null (NUL: on Windows). Of course if you do this automatically, it will also cancel the addition of a cert that isn't in the keystore, so you must look at the output (e.g. with grep) and decide whether to repeat the add operation and this time answer yes or (equivalently) use -noprompt.

dave_thompson_085
  • 24,048
  • 4
  • 34
  • 52
0

Today I had to exactly this, and that's how I ended up in this question without a valid answer.

This is what I ended up doing.

First, I downloaded the certificates from my certificate authority. Then I obtained their fingerprint, e.g.

keytool -printcert -v -file GeoTrustTLSRSACAG1-Intermediate-Certificate.cer

This produces an output like the following:

Certificate fingerprints:
     MD5:  05:EE:9C:2A:C6:6F:75:D9:64:AC:5F:1A:3C:7D:E7:5D
     SHA1: 8B:3C:5B:9B:86:7D:4B:E4:6D:1C:B5:A0:1D:45:D6:7D:C8:E9:40:82
     SHA256: C0:6E:30:7F:7C:FC:1D:32:FA:72:A4:C0:33:C8:7B:90:01:9A:F2:16:F0:77:5D:64:97:8A:2E:CA:6C:8A:23:0E
     Signature algorithm name: SHA256withRSA
     Version: 3

At this point I copy the SHA1 fingerprint and then check if I already have it in my cacert file:

keytool -keystore $JAVA_HOME/jre/lib/security/cacerts -list -storepass changeit | \
  grep "8B:3C:5B:9B:86:7D:4B:E4:6D:1C:B5:A0:1D:45:D6:7D:C8:E9:40:82"

If you find a match, it means you already have the certificate, otherwise, you don't and you may need to add it to the keystore.

Edwin Dalorzo
  • 70,022
  • 25
  • 131
  • 191
  • 1
    FYI [that cert](https://crt.sh/?id=250864679) is not a root cert (or a root CA for that matter) and it should validate under [this root](https://crt.sh/?id=8656329) which is already in every Oracle JDK from 8u91 up as 'digicertglobalrootg2' – dave_thompson_085 Jul 09 '20 at 00:46