How to list the certificates stored in a PKCS12 keystore with keytool?

I wanted to list the certificates stored in a PKCS12 keystore.

The keystore has the extension .pfx

5 Answers

If the keystore is PKCS12 type (.pfx) you have to specify it with -storetype PKCS12 (line breaks added for readability):

keytool -list -v -keystore <path to keystore.pfx> \ -storepass <password> \ -storetype PKCS12 
6

You can also use openssl to accomplish the same thing:

$ openssl pkcs12 -nokeys -info \ -in </path/to/file.pfx> \ -passin pass:<pfx's password> MAC Iteration 2048 MAC verified OK PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048 Certificate bag Bag Attributes localKeyID: XX XX XX XX XX XX XX XX XX XX XX XX XX 48 54 A0 47 88 1D 90 friendlyName: jedis-server subject=/C=US/ST=NC/L=Raleigh/O=XXX Security/OU=XXX/CN=something1 issuer=/C=US/ST=NC/L=Raleigh/O=XXX Security/OU=XXXX/CN=something1 -----BEGIN CERTIFICATE----- ... ... ... -----END CERTIFICATE----- PKCS7 Data Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048 
4

You can list down the entries (certificates details) with the keytool and even you don't need to mention the store type. Also, the .p12 and .pfx are both PKCS#12 files. Assume that you've the keystore file cert.pfx or cert.p12 then you can use the following command to list down the content.

keytool -list -v -keystore cert.pfx -storepass <password> 

or

keytool -list -v -keystore cert.p12 -storepass <password> Keystore type: PKCS12 Keystore provider: SunJSSE Your keystore contains 1 entry Alias name: 1 Creation date: Jul 11, 2020 Entry type: PrivateKeyEntry Certificate chain length: 2 
1
openssl pkcs12 -info -in keystore_file 

What is missing in the question and all the answers is that you might need the passphrase to read public data from the PKCS#12 (.pfx) keystore. If you need a passphrase or not depends on how the PKCS#12 file was created. You can check the ASN1 structure of the file (by running it through a ASN1 parser, openssl or certutil can do this too), if the PKCS#7 data (e.g. OID prefix 1.2.840.113549.1.7) is listed as 'encrypted' or with a cipher-spec or if the location of the data in the asn1 tree is below an encrypted node, you won't be able to read it without knowledge of the passphrase. It means your 'openssl pkcs12' command will fail with errors (output depends on the version). For those wondering why you might be interested in the certificate of a PKCS#12 without knowledge of the passphrase. Imagine you have many keystores and many phassphrases and you are really bad at keeping them organized and you don't want to test all combinations, the certificate inside the file could help you find out which password it might be. Or you are developing software to migrate/renew a keystore and you need to decide in advance which procedure to initiate based on the contained certicate without user interaction. So the latter examples work without passphrase depending on the PKCS#12 structure.

Just wanted to add that, because I didn't find an answer myself and spend a lot of time to figure it out.

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

You Might Also Like