How to Investigate Certificates (UNIX/Linux) (KBA10528)
KBA
KBA#Applicable Delphix Versions
- Click here to view the versions of the Delphix engine to which this article applies
-
Date Release Oct 18, 2023 16.0.0.0 Sep 21, 2023 15.0.0.0 Aug 24, 2023 14.0.0.0 Jul 24, 2023 13.0.0.0 Jun 21, 2023 12.0.0.0 May 25, 2023 11.0.0.0 Apr 13, 2023 10.0.0.0 | 10.0.0.1 Mar 13, 2023 | Mar 20, 2023 9.0.0.0 | 9.0.0.1 Feb 13, 2023 8.0.0.0 Jan 12, 2023 7.0.0.0 Releases Prior to 2023 Major Release All Sub Releases 6.0 6.0.0.0, 6.0.1.0, 6.0.1.1, 6.0.2.0, 6.0.2.1, 6.0.3.0, 6.0.3.1, 6.0.4.0, 6.0.4.1, 6.0.4.2, 6.0.5.0, 6.0.6.0, 6.0.6.1, 6.0.7.0, 6.0.8.0, 6.0.8.1, 6.0.9.0, 6.0.10.0, 6.0.10.1, 6.0.11.0, 6.0.12.0, 6.0.12.1, 6.0.13.0, 6.0.13.1, 6.0.14.0, 6.0.15.0, 6.0.16.0, 6.0.17.0, 6.0.17.1, 6.0.17.2
5.3
5.3.0.0, 5.3.0.1, 5.3.0.2, 5.3.0.3, 5.3.1.0, 5.3.1.1, 5.3.1.2, 5.3.2.0, 5.3.3.0, 5.3.3.1, 5.3.4.0, 5.3.5.0, 5.3.6.0, 5.3.7.0, 5.3.7.1, 5.3.8.0, 5.3.8.1, 5.3.9.0 5.2
5.2.2.0, 5.2.2.1, 5.2.3.0, 5.2.4.0, 5.2.5.0, 5.2.5.1, 5.2.6.0, 5.2.6.1
5.1
5.1.0.0, 5.1.1.0, 5.1.2.0, 5.1.3.0, 5.1.4.0, 5.1.5.0, 5.1.5.1, 5.1.6.0, 5.1.7.0, 5.1.8.0, 5.1.8.1, 5.1.9.0, 5.1.10.0
5.0
5.0.1.0, 5.0.1.1, 5.0.2.0, 5.0.2.1, 5.0.2.2, 5.0.2.3, 5.0.3.0, 5.0.3.1, 5.0.4.0, 5.0.4.1, 5.0.5.0, 5.0.5.1, 5.0.5.2, 5.0.5.3, 5.0.5.4
Summary
How you investigate a certificate depends on whether this is for a client application investigating a certificate already installed on a server or for a server application that is failing to install a certificate. Specifically, we can use investigation commands and their output to:
- Verify the certificate chain is unbroken back to the root CA certificate.
- Verify the common name matches the hostname or FQDN of the server.
- Verify that Subject Alternative Names (SANs) exist and that they exactly match the hostname or FQDN used to access the server from the client.
- Verify that no certificate in the chain is outside of the validity period.
- Verify the key length and ensure it is long enough to meet any security requirements you might have.
- Verify that the end entity certificate has the expected alias defined.
- Extract the certificates to PEM files for import to a truststore.
In the examples here, useful information in the output has been highlighted to help the reader understand commands with a great deal of output.
Investigating an In-Use Certificate
The following command can be used to extract useful information about the certificate, such as the validity period and chain. If you have not yet installed the root CA or intermediate CA certificates to your client truststore, the output of this command also provides the certificates themselves so they can be saved to file and imported.
$ openssl s_client -connect <HOSTNAME>:<PORT> -showcerts
Example:
$ echo Q | openssl s_client -connect 192.168.1.60:443 -showcerts CONNECTED(00000003) Can't use SSL_get_servername depth=2 C = JA, ST = Hokkaido, L = Sapporo, O = Delphix, OU = Security, CN = root.ca.Delphix.com, emailAddress = noreply@delphix.com verify error:num=19:self-signed certificate in certificate chain verify return:1 depth=2 C = JA, ST = Hokkaido, L = Sapporo, O = Delphix, OU = Security, CN = root.ca.Delphix.com, emailAddress = noreply@delphix.com verify return:1 depth=1 C = JA, ST = Hokkaido, O = Delphix, OU = Security, L = Sapporo, CN = web.ca.Delphix.com, emailAddress = noreply@delphix.com verify return:1 depth=0 C = JA, ST = Hokkaido, O = Delphix, OU = Security, L = Sapporo, CN = sapporo verify return:1 --- Certificate chain 0 s:C = JA, ST = Hokkaido, O = Delphix, OU = Security, L = Sapporo, CN = sapporo i:C = JA, ST = Hokkaido, O = Delphix, OU = Security, L = Sapporo, CN = web.ca.Delphix.com, emailAddress = noreply@delphix.com a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: May 28 01:59:40 2021 GMT; NotAfter: Jul 16 01:59:40 2026 GMT -----BEGIN CERTIFICATE----- MIIFATCCA+mgAwIBAgIEAJiWgTANBgkqhkiG9w0BAQsFADCBozELMAkGA1UEBhMC SkExETAPBgNVBAgTCEhva2thaWRvMRMwEQYDVQQKEwpBc2lhQ29tdGVrMREwDwYD VQQLEwhTZWN1cml0eTEQMA4GA1UEBxMHU2FwcG9ybzEeMBwGA1UEAxMVd2ViLmNh LmFzaWFjb210ZWsuY29tMScwJQYJKoZIhvcNAQkBFhhkZXZlbG9wZXJAYXNpYWNv bXRlay5jb20wHhcNMjEwNTI4MDE1OTQwWhcNMjYwNzE2MDE1OTQwWjBsMQswCQYD VQQGEwJKQTERMA8GA1UECBMISG9ra2FpZG8xEzARBgNVBAoTCkFzaWFDb210ZWsx ETAPBgNVBAsTCFNlY3VyaXR5MRAwDgYDVQQHEwdTYXBwb3JvMRAwDgYDVQQDEwdz YXBwb3JvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw1UskI3XemLG O31GjbJOdxyHChJAHdXOrPEXyhK368Z9s9fiv0/2bh0BLiAt0xDKhAGNIcOUHJmZ lJK1OCjamT0WEjMoh1ONzHK71ccYapJGLbBnra+Z/vKTIj/tph5atCiWrbvWpSaA ZO9P4iVrFudbIIcr//+I6THA01iZCnFdUfzfTGOpkutQPok/AnuEfJssFJcCiOU7 BV/LUxok2O9gbrPiNZ/rov8sj6Zw1uYxQWy0CI8jTobGxeQjr1y92IG5t43/Y8Kz ugfTIrINiN+YVZ4MLup4UCSLORr/hFCxxi3+38iC3ykDl0jug1wUigX2/oqSRB6d I6mqw7RcjwIDAQABo4IBcTCCAW0wNgYJYIZIAYb4QgENBCkWJ0FDIFg1MDkgQXV0 aG9yaXR5IEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUilspTG9+KbPF 7RUBhsK4m4m3YCkwHwYDVR0jBBgwFoAUHcmWhX7IyDlQKbGhlHKqixESeXIwgYsG A1UdHwSBgzCBgDA4oDagNIYyaHR0cDovL2NhLmFzaWFjb210ZWsuY29tL3dlYi5j YS5hc2lhY29tdGVrLmNvbS5jcmwwRKBCoECGPmh0dHA6Ly9jYS5hc2lhY29tdGVr LmNvbS9iLXg1MDkvY3Jscy93ZWIuY2EuYXNpYWNvbXRlay5jb20uY3JsMAkGA1Ud EwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMEcGA1UdEQRAMD6CGnNhcHBvcm8ubGFu LmFzaWFjb210ZWsuY29tgiBhZG1pbi5zYXBwb3JvLmxhbi5hc2lhY29tdGVrLmNv bTANBgkqhkiG9w0BAQsFAAOCAQEAinjO7pc08EdynA79sA0x89edt7QPOjhFaIG1 xmUdW5CvdWKacaNLkZyAT/pO58hNzwdvK5sCQaEk4UtF09kcKE8qTqHufd3b/8D8 WZnvZtT/mpxiAgbyeQO2rXTkWR5d6sGYvGKrRKa3N+en90Cx+q9rwtKf5rXemc+L 8XlYWRdgIA4gvITbGbGV3jl45s9VDveVxCFWX2RJTHSiRkan7+cTbQXdp5d1+0K9 24MPrR60sHnWEqcsL2m9lJQ7J2jXPG9BgfeN55yj/jS4p9BbNW7YHm468QrCXcSu 2sjBMpoNX602x0AyRSuc27jjdmW4+7NAiGivLisRsOzrwkEETQ== -----END CERTIFICATE----- 1 s:C = JA, ST = Hokkaido, L = Sapporo, O = Delphix, OU = Security, CN = root.ca.Delphix.com, emailAddress = noreply@delphix.com i:C = JA, ST = Hokkaido, L = Sapporo, O = Delphix, OU = Security, CN = root.ca.Delphix.com, emailAddress = noreply@delphix.com a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: May 27 07:27:12 2021 GMT; NotAfter: May 23 07:27:12 2036 GMT -----BEGIN CERTIFICATE----- MIIE9DCCA9ygAwIBAgIUFcxjmSjmE1MnKBGgI2G4j9Yq/8cwDQYJKoZIhvcNAQEL BQAwgaQxCzAJBgNVBAYTAkpBMREwDwYDVQQIEwhIb2trYWlkbzEQMA4GA1UEBxMH U2FwcG9ybzETMBEGA1UEChMKQXNpYUNvbXRlazERMA8GA1UECxMIU2VjdXJpdHkx HzAdBgNVBAMTFnJvb3QuY2EuYXNpYWNvbXRlay5jb20xJzAlBgkqhkiG9w0BCQEW GGRldmVsb3BlckBhc2lhY29tdGVrLmNvbTAeFw0yMTA1MjcwNzI3MTJaFw0zNjA1 MjMwNzI3MTJaMIGkMQswCQYDVQQGEwJKQTERMA8GA1UECBMISG9ra2FpZG8xEDAO BgNVBAcTB1NhcHBvcm8xEzARBgNVBAoTCkFzaWFDb210ZWsxETAPBgNVBAsTCFNl Y3VyaXR5MR8wHQYDVQQDExZyb290LmNhLmFzaWFjb210ZWsuY29tMScwJQYJKoZI hvcNAQkBFhhkZXZlbG9wZXJAYXNpYWNvbXRlay5jb20wggEiMA0GCSqGSIb3DQEB AQUAA4IBDwAwggEKAoIBAQDBb183J7we/p25DbllcjCWvLiauv14+zqrXehvvvHs Gx1bVvW5KQW6ZZU4BoCqFpagj5h5iZjWBx2+zPjU093B49UmFV5WJU991gbnYK1E YcChCzuq5E3wItXISQKzQK6Ug3g8cQ7GlWYwWuuZ8Q5LbkEkxk5P144ocQoZ+5Ki LkOEwb7D62W5DLqufQtF7r3XNalkrLDtkudhotS/GW2EdnblSw/6WjVoAVZyEu8c I52u31BlB1giZOY2+Hqgvn54PGNw80YGgUo62Zsmw+RzmrMiu9MVf9z0elhUuopX Vrf1Wzw0ByF0tDoTNFxqlGXSX30KdP9HL7GJhM0TWsyjAgMBAAGjggEaMIIBFjA2 BglghkgBhvhCAQ0EKRYnQUMgWDUwOSBBdXRob3JpdHkgR2VuZXJhdGVkIENlcnRp ZmljYXRlMB0GA1UdDgQWBBRmuvg3DWScYaLOXvsXHxNbHwZ5RjAfBgNVHSMEGDAW gBRmuvg3DWScYaLOXvsXHxNbHwZ5RjAMBgNVHRMEBTADAQH/MIGNBgNVHR8EgYUw gYIwOaA3oDWGM2h0dHA6Ly9jYS5hc2lhY29tdGVrLmNvbS9yb290LmNhLmFzaWFj b210ZWsuY29tLmNybDBFoEOgQYY/aHR0cDovL2NhLmFzaWFjb210ZWsuY29tL2It eDUwOS9jcmxzL3Jvb3QuY2EuYXNpYWNvbXRlay5jb20uY3JsMA0GCSqGSIb3DQEB CwUAA4IBAQAy9S8VBtyaejRcCTxKgfclLh9tMfqtHAHSYsicXsYKjwFBJw0UzI3q En7EKNdrsSJxlaTqLmHgMYjP3emp0FkgOITz/A7RqL1uvyQ4/w9AZMlRpq8WVmCS jUYwV5Rv6YZMhuXTWYEiOP4pq41IyeKpbwW0eSiu2cqByOUBBpkdFNbmXAe2JZnC FJrEJ2PGz92Re0sH+DwcJztG7ouzl2pna50jyRnznaF1g0/e9UqsB1a90WzHfI4k dmCvAUGfoG5qvtftdOhDLKtLgoCiIztCR90jTajrJ6z1+3suSHcCS+L3J2NslRO1 2yfWY+hb48rzMu4tJGOSgSvMp/I3RxLL -----END CERTIFICATE----- 2 s:C = JA, ST = Hokkaido, O = Delphix, OU = Security, L = Sapporo, CN = web.ca.Delphix.com, emailAddress = noreply@delphix.com i:C = JA, ST = Hokkaido, L = Sapporo, O = Delphix, OU = Security, CN = root.ca.Delphix.com, emailAddress = noreply@delphix.com a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: May 27 07:31:17 2021 GMT; NotAfter: May 25 07:31:17 2031 GMT -----BEGIN CERTIFICATE----- MIIFGDCCBACgAwIBAgIEAJiWgDANBgkqhkiG9w0BAQsFADCBpDELMAkGA1UEBhMC SkExETAPBgNVBAgTCEhva2thaWRvMRAwDgYDVQQHEwdTYXBwb3JvMRMwEQYDVQQK EwpBc2lhQ29tdGVrMREwDwYDVQQLEwhTZWN1cml0eTEfMB0GA1UEAxMWcm9vdC5j YS5hc2lhY29tdGVrLmNvbTEnMCUGCSqGSIb3DQEJARYYZGV2ZWxvcGVyQGFzaWFj b210ZWsuY29tMB4XDTIxMDUyNzA3MzExN1oXDTMxMDUyNTA3MzExN1owgaMxCzAJ BgNVBAYTAkpBMREwDwYDVQQIEwhIb2trYWlkbzETMBEGA1UEChMKQXNpYUNvbXRl azERMA8GA1UECxMIU2VjdXJpdHkxEDAOBgNVBAcTB1NhcHBvcm8xHjAcBgNVBAMT FXdlYi5jYS5hc2lhY29tdGVrLmNvbTEnMCUGCSqGSIb3DQEJARYYZGV2ZWxvcGVy QGFzaWFjb210ZWsuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA sX//eexqIg0WCxBzkQk5ArCHgyrAqdsXX8oXbaEGTjPTGyqP/JuNTDH4J+vK8zP0 3SmJ9cicZtv1oTcSqG0sdAK/M2Lh4F4VaXQZP4x0NCynz2F2ieIqB2DJyHV201ym u+aGHCPdfWdxYgkbFFupmLJ54xLVsTACrD5eB8sd8Io2qNvnsz/tiFoXbyQ8AYbk MUKpa3Jdg4Kg/M9x05fBTMtAgdg8TP14E6GId4eoYBx7twi/eEgb3iLThgamb6/F /R6w9HyAzQnVqey+f719dHKoY00b8ggXnyz1+8sX+ouhvb91ndsWpms7xU2Z57QW vfnO8HBhpfFGb4FB/nSc7QIDAQABo4IBTzCCAUswNgYJYIZIAYb4QgENBCkWJ0FD IFg1MDkgQXV0aG9yaXR5IEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU HcmWhX7IyDlQKbGhlHKqixESeXIwHwYDVR0jBBgwFoAUZrr4Nw1knGGizl77Fx8T Wx8GeUYwgY0GA1UdHwSBhTCBgjA5oDegNYYzaHR0cDovL2NhLmFzaWFjb210ZWsu Y29tL3Jvb3QuY2EuYXNpYWNvbXRlay5jb20uY3JsMEWgQ6BBhj9odHRwOi8vY2Eu YXNpYWNvbXRlay5jb20vYi14NTA5L2NybHMvcm9vdC5jYS5hc2lhY29tdGVrLmNv bS5jcmwwDAYDVR0TBAUwAwEB/zARBglghkgBhvhCAQEEBAMCBFAwIAYDVR0RBBkw F4IVd2ViLmNhLmFzaWFjb210ZWsuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQCmx8Zk kSl9Hj+HBALYCuM9wE3bOAH9r/z35wuFXm9gH5yPHT7Nk4emRMkLBcTeJQERmH4s JYmENoBFidaHyZ4pjBggpuWIwbVmeixWrX4u9u8b2Hqt0Oek0xI/rBie/91dZVKG irDggtDkdYdWH/B+UhH/n3FScD3WRBIJoNFaVwBV1ZZTgpEXj3myEH7/D5JiQ/Mq lxkncEl/GixVsNFaX5pTPH4kY8fybF7P61OXpODA3wRm4N6rnPPKqTOfRda4IDBN vg4gqJiONJKaZjGSpkuY1DsxDUtZiAYo8gLzY756keWszhBHyYkmSZbO97QcbGDv /7CwNhcJmW6E551p -----END CERTIFICATE----- --- Server certificate subject=C = JA, ST = Hokkaido, O = Delphix, OU = Security, L = Sapporo, CN = sapporo issuer=C = JA, ST = Hokkaido, O = Delphix, OU = Security, L = Sapporo, CN = web.ca.Delphix.com, emailAddress = noreply@delphix.com --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 4528 bytes and written 386 bytes Verification error: self-signed certificate in certificate chain --- New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 6B27104B768342BF859DDFA7EEE27EF0C8BCD51E752AFCE313668E8346E9DBB5 Session-ID-ctx: Master-Key: 4C20DA4F0F4B4FD25FA082A300BBCD101AF289C7BF85A22E783F31F0C27629315CE2462D6A088319871824D7FFCD3CAB PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 2c ea e4 6e 20 06 82 93-4f ba 5c 37 03 5e 74 d1 ,..n ...O.\7.^t. 0010 - 2d c7 92 96 77 fe e1 70-a3 fe 2a 48 4a 24 1e 39 -...w..p..*HJ$.9 0020 - 6f 6d 5b 81 09 53 01 51-f0 ab d2 62 c4 de a2 43 om[..S.Q...b...C 0030 - a5 80 00 55 be 78 0b ec-03 f7 69 0b 8a 2a b3 ee ...U.x....i..*.. 0040 - d3 81 f9 1b 91 a4 cf ca-21 59 33 9b d9 cf e3 f8 ........!Y3..... 0050 - ad 4f 25 e7 00 dc 94 91-1a 22 3c ed bc 75 83 97 .O%......"<..u.. 0060 - 2d fe 27 5a 95 ca a1 2b-8a 3a 37 03 6a 0b 71 f6 -.'Z...+.:7.j.q. 0070 - cc 12 f1 b8 36 b0 57 ee-a2 0a 70 a1 5a 78 48 d9 ....6.W...p.ZxH. 0080 - c9 f6 94 cc b6 16 94 2f-f5 4b 49 22 39 79 af 04 ......./.KI"9y.. 0090 - 62 af 7f 08 9f e8 24 1e-8c 57 07 e3 d2 99 80 a0 b.....$..W...... 00a0 - c7 1a c2 ac 2d 73 5d a5-7e e1 f1 9f 99 7c 8a 88 ....-s].~....|.. 00b0 - 4f d9 d6 5c 7a 38 9a 44-45 b9 dc 8b 84 b4 d6 bf O..\z8.DE....... Start Time: 1699417461 Timeout : 7200 (sec) Verify return code: 19 (self-signed certificate in certificate chain) Extended master secret: yes ---
In the example above, there is some TLS handshake related information which may be useful for troubleshooting TLS issues. However, here we are primarily interested in the certificate details.
In the real example provided, we have a chain that shows us that:
- The end entity (Server Certificate)
C = JA, ST = Hokkaido, O = Delphix, OU = Security, L = Sapporo, CN = sapporo
... - ... was signed by intermediate CA certificate
C = JA, ST = Hokkaido, O = Delphix, OU = Security, L = Sapporo, CN = web.ca.Delphix.com, emailAddress = noreply@delphix.com
- ... which was in turn signed by root CA certificate
C = JA, ST = Hokkaido, L = Sapporo, O = Delphix, OU = Security, CN = root.ca.Delphix.com, emailAddress = noreply@delphix.com
The chain is unbroken because every certificate's Issuer also exists in the output. - The validity for the end entity certificate is
NotBefore: May 28 01:59:40 2021 GMT; NotAfter: Jul 16 01:59:40 2026 GMT
which happens to also be the validity period for the chain as well, because it is the latest NotBefore value and the earliest NotAfter value. In some cases, a CA certificate might expire first in which case the validity of the chain would take the earliest NotAfter timestamp. It is something to be careful of when getting a new certificate from a CA that is near the end of its own validity period. - You can also see that the end entity certificate (Server public key) is 2048 bit. This is useful to know, as applications may impose a minimum length. 2048 bit is the common minimum accepted key length currently, but there are older CAs still issuing 1024 and even 512 bit keys which will be rejected by many applications.
- Finally, if needed, you can extract a certificate. This is most useful for installing CA certificates to a truststore. Simply copy the base64 section beginning with
-----BEGIN CERTIFICATE-----
(including the dashes as shown) up to and including-----END CERTIFICATE-----
and save it to a plain text file with the *.pem extension.
Investigating a Certificate File
The methods described below all provide similar output which allows you to investigate all characteristics of a certificate or all certificates in a keystore file.
PEM
$ openssl x509 -in <FILENAME> -text -nocert
Example
$ openssl x509 -in sapporo.pem -text -nocert Certificate: Data: Version: 3 (0x2) Serial Number: 10000001 (0x989681) Signature Algorithm: sha256WithRSAEncryption Issuer: C = JA, ST = Hokkaido, O = Delphix, OU = Security, L = Sapporo, CN = web.ca.Delphix.com, emailAddress = noreply@delphix.com Validity Not Before: May 28 01:59:40 2021 GMT Not After : Jul 16 01:59:40 2026 GMT Subject: C = JA, ST = Hokkaido, O = Delphix, OU = Security, L = Sapporo, CN = sapporo Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c3:55:2c:90:8d:d7:7a:62:c6:3b:7d:46:8d:b2: 4e:77:1c:87:0a:12:40:1d:d5:ce:ac:f1:17:ca:12: b7:eb:c6:7d:b3:d7:e2:bf:4f:f6:6e:1d:01:2e:20: 2d:d3:10:ca:84:01:8d:21:c3:94:1c:99:99:94:92: b5:38:28:da:99:3d:16:12:33:28:87:53:8d:cc:72: bb:d5:c7:18:6a:92:46:2d:b0:67:ad:af:99:fe:f2: 93:22:3f:ed:a6:1e:5a:b4:28:96:ad:bb:d6:a5:26: 80:64:ef:4f:e2:25:6b:16:e7:5b:20:87:2b:ff:ff: 88:e9:31:c0:d3:58:99:0a:71:5d:51:fc:df:4c:63: a9:92:eb:50:3e:89:3f:02:7b:84:7c:9b:2c:14:97: 02:88:e5:3b:05:5f:cb:53:1a:24:d8:ef:60:6e:b3: e2:35:9f:eb:a2:ff:2c:8f:a6:70:d6:e6:31:41:6c: b4:08:8f:23:4e:86:c6:c5:e4:23:af:5c:bd:d8:81: b9:b7:8d:ff:63:c2:b3:ba:07:d3:22:b2:0d:88:df: 98:55:9e:0c:2e:ea:78:50:24:8b:39:1a:ff:84:50: b1:c6:2d:fe:df:c8:82:df:29:03:97:48:ee:83:5c: 14:8a:05:f6:fe:8a:92:44:1e:9d:23:a9:aa:c3:b4: 5c:8f Exponent: 65537 (0x10001) X509v3 extensions: Netscape Comment: AC X509 Authority Generated Certificate X509v3 Subject Key Identifier: 8A:5B:29:4C:6F:7E:29:B3:C5:ED:15:01:86:C2:B8:9B:89:B7:60:29 X509v3 Authority Key Identifier: 1D:C9:96:85:7E:C8:C8:39:50:29:B1:A1:94:72:AA:8B:11:12:79:72 X509v3 CRL Distribution Points: Full Name: URI:http://ca.Delphix.com/web.ca.Delphix.com.crl Full Name: URI:http://ca.Delphix.com/b-x509/crls/web.ca.Delphix.com.crl X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server X509v3 Subject Alternative Name: DNS:sapporo.lan.Delphix.com, DNS:admin.sapporo.lan.Delphix.com Signature Algorithm: sha256WithRSAEncryption Signature Value: 8a:78:ce:ee:97:34:f0:47:72:9c:0e:fd:b0:0d:31:f3:d7:9d: b7:b4:0f:3a:38:45:68:81:b5:c6:65:1d:5b:90:af:75:62:9a: 71:a3:4b:91:9c:80:4f:fa:4e:e7:c8:4d:cf:07:6f:2b:9b:02: 41:a1:24:e1:4b:45:d3:d9:1c:28:4f:2a:4e:a1:ee:7d:dd:db: ff:c0:fc:59:99:ef:66:d4:ff:9a:9c:62:02:06:f2:79:03:b6: ad:74:e4:59:1e:5d:ea:c1:98:bc:62:ab:44:a6:b7:37:e7:a7: f7:40:b1:fa:af:6b:c2:d2:9f:e6:b5:de:99:cf:8b:f1:79:58: 59:17:60:20:0e:20:bc:84:db:19:b1:95:de:39:78:e6:cf:55: 0e:f7:95:c4:21:56:5f:64:49:4c:74:a2:46:46:a7:ef:e7:13: 6d:05:dd:a7:97:75:fb:42:bd:db:83:0f:ad:1e:b4:b0:79:d6: 12:a7:2c:2f:69:bd:94:94:3b:27:68:d7:3c:6f:41:81:f7:8d: e7:9c:a3:fe:34:b8:a7:d0:5b:35:6e:d8:1e:6e:3a:f1:0a:c2: 5d:c4:ae:da:c8:c1:32:9a:0d:5f:ad:36:c7:40:32:45:2b:9c: db:b8:e3:76:65:b8:fb:b3:40:88:68:af:2e:2b:11:b0:ec:eb: c2:41:04:4d
JKS
$ keytool -keystore <FILENAME> -list -v
Example
$ keytool -keystore myKeystore.jks -list -v Enter keystore password: Keystore type: jks Keystore provider: SUN Your keystore contains 1 entry Alias name: tomcat Creation date: 08-Nov-2023 Entry type: PrivateKeyEntry Certificate chain length: 3 Certificate[1]: Owner: CN=sapporo, L=Sapporo, OU=Security, O=Delphix, ST=Hokkaido, C=JA Issuer: EMAILADDRESS=noreply@delphix.com, CN=web.ca.Delphix.com, L=Sapporo, OU=Security, O=Delphix, ST=Hokkaido, C=JA Serial number: 989681 Valid from: Fri May 28 01:59:40 UTC 2021 until: Thu Jul 16 01:59:40 UTC 2026 Certificate fingerprints: MD5: E0:24:E2:C9:1F:C3:80:17:E3:28:DA:41:E4:20:E4:40 SHA1: 9E:9A:4E:EE:05:96:B1:AD:FE:9F:A6:F2:CD:C5:0E:7B:21:22:60:D5 SHA256: 79:B2:09:E1:F9:0D:3B:C0:2B:AF:91:4A:76:91:52:AE:BB:92:0A:BE:27:35:57:7F:9D:9A:5D:E5:D0:27:9D:FD Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 2048-bit RSA key Version: 3 Extensions: #1: ObjectId: 2.16.840.1.113730.1.13 Criticality=false 0000: 16 27 41 43 20 58 35 30 39 20 41 75 74 68 6F 72 .'AC X509 Author 0010: 69 74 79 20 47 65 6E 65 72 61 74 65 64 20 43 65 ity Generated Ce 0020: 72 74 69 66 69 63 61 74 65 rtificate #2: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 1D C9 96 85 7E C8 C8 39 50 29 B1 A1 94 72 AA 8B .......9P)...r.. 0010: 11 12 79 72 ..yr ] ] #3: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:false PathLen: undefined ] #4: ObjectId: 2.5.29.31 Criticality=false CRLDistributionPoints [ [DistributionPoint: [URIName: http://ca.Delphix.com/web.ca.Delphix.com.crl] , DistributionPoint: [URIName: http://ca.Delphix.com/b-x509/crls/web.ca.Delphix.com.crl] ]] #5: ObjectId: 2.16.840.1.113730.1.1 Criticality=false NetscapeCertType [ SSL server ] #6: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ DNSName: sapporo.lan.Delphix.com DNSName: admin.sapporo.lan.Delphix.com ] #7: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 8A 5B 29 4C 6F 7E 29 B3 C5 ED 15 01 86 C2 B8 9B .[)Lo.)......... 0010: 89 B7 60 29 ..`) ] ] Certificate[2]: Owner: EMAILADDRESS=noreply@delphix.com, CN=web.ca.Delphix.com, L=Sapporo, OU=Security, O=Delphix, ST=Hokkaido, C=JA Issuer: EMAILADDRESS=noreply@delphix.com, CN=root.ca.Delphix.com, OU=Security, O=Delphix, L=Sapporo, ST=Hokkaido, C=JA Serial number: 989680 Valid from: Thu May 27 07:31:17 UTC 2021 until: Sun May 25 07:31:17 UTC 2031 Certificate fingerprints: MD5: F4:F6:05:B5:32:A8:87:D9:CD:AC:4F:0A:F9:47:7C:DB SHA1: 22:8B:78:C6:1D:92:1F:2A:CB:4E:C2:3E:6D:47:5A:2C:B7:4D:90:E6 SHA256: 3F:16:1E:90:F1:17:C4:1F:4A:75:C6:92:6B:A1:9C:E1:58:D1:72:0E:7E:47:37:01:1A:9E:E5:E0:8A:7E:A5:A4 Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 2048-bit RSA key Version: 3 Extensions: #1: ObjectId: 2.16.840.1.113730.1.13 Criticality=false 0000: 16 27 41 43 20 58 35 30 39 20 41 75 74 68 6F 72 .'AC X509 Author 0010: 69 74 79 20 47 65 6E 65 72 61 74 65 64 20 43 65 ity Generated Ce 0020: 72 74 69 66 69 63 61 74 65 rtificate #2: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 66 BA F8 37 0D 64 9C 61 A2 CE 5E FB 17 1F 13 5B f..7.d.a..^....[ 0010: 1F 06 79 46 ..yF ] ] #3: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:true PathLen:2147483647 ] #4: ObjectId: 2.5.29.31 Criticality=false CRLDistributionPoints [ [DistributionPoint: [URIName: http://ca.Delphix.com/root.ca.Delphix.com.crl] , DistributionPoint: [URIName: http://ca.Delphix.com/b-x509/crls/root.ca.Delphix.com.crl] ]] #5: ObjectId: 2.16.840.1.113730.1.1 Criticality=false NetscapeCertType [ SSL server Object Signing ] #6: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ DNSName: web.ca.Delphix.com ] #7: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 1D C9 96 85 7E C8 C8 39 50 29 B1 A1 94 72 AA 8B .......9P)...r.. 0010: 11 12 79 72 ..yr ] ] Certificate[3]: Owner: EMAILADDRESS=noreply@delphix.com, CN=root.ca.Delphix.com, OU=Security, O=Delphix, L=Sapporo, ST=Hokkaido, C=JA Issuer: EMAILADDRESS=noreply@delphix.com, CN=root.ca.Delphix.com, OU=Security, O=Delphix, L=Sapporo, ST=Hokkaido, C=JA Serial number: 15cc639928e61353272811a02361b88fd62affc7 Valid from: Thu May 27 07:27:12 UTC 2021 until: Fri May 23 07:27:12 UTC 2036 Certificate fingerprints: MD5: 3B:A3:2D:11:A6:BD:32:A6:AC:EF:D4:AD:AC:A1:17:30 SHA1: 0D:1E:48:DE:B0:1B:07:EA:84:C6:8E:92:63:A6:A4:4B:68:75:F5:45 SHA256: 92:C8:EB:2B:DE:0E:4C:0B:B1:F1:DE:07:82:46:78:CA:6A:61:49:48:43:94:37:BF:08:AC:1A:16:32:26:69:D5 Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 2048-bit RSA key Version: 3 Extensions: #1: ObjectId: 2.16.840.1.113730.1.13 Criticality=false 0000: 16 27 41 43 20 58 35 30 39 20 41 75 74 68 6F 72 .'AC X509 Author 0010: 69 74 79 20 47 65 6E 65 72 61 74 65 64 20 43 65 ity Generated Ce 0020: 72 74 69 66 69 63 61 74 65 rtificate #2: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 66 BA F8 37 0D 64 9C 61 A2 CE 5E FB 17 1F 13 5B f..7.d.a..^....[ 0010: 1F 06 79 46 ..yF ] ] #3: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:true PathLen:2147483647 ] #4: ObjectId: 2.5.29.31 Criticality=false CRLDistributionPoints [ [DistributionPoint: [URIName: http://ca.Delphix.com/root.ca.Delphix.com.crl] , DistributionPoint: [URIName: http://ca.Delphix.com/b-x509/crls/root.ca.Delphix.com.crl] ]] #5: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 66 BA F8 37 0D 64 9C 61 A2 CE 5E FB 17 1F 13 5B f..7.d.a..^....[ 0010: 1F 06 79 46 ..yF ] ] ******************************************* *******************************************
PKCS#12 and PFX
$ openssl pkcs12 -in <FILENAME> -info
Example
$ openssl pkcs12 -in sapporo.p12 -info Enter Import Password: MAC: sha1, Iteration 2048 MAC length: 20, salt length: 8 PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048 Certificate bag Bag Attributes friendlyName: tomcat localKeyID: 9E 9A 4E EE 05 96 B1 AD FE 9F A6 F2 CD C5 0E 7B 21 22 60 D5 subject=C = JA, ST = Hokkaido, O = Delphix, OU = Security, L = Sapporo, CN = sapporo issuer=C = JA, ST = Hokkaido, O = Delphix, OU = Security, L = Sapporo, CN = web.ca.Delphix.com, emailAddress = noreply@delphix.com -----BEGIN CERTIFICATE----- MIIFATCCA+mgAwIBAgIEAJiWgTANBgkqhkiG9w0BAQsFADCBozELMAkGA1UEBhMC SkExETAPBgNVBAgTCEhva2thaWRvMRMwEQYDVQQKEwpBc2lhQ29tdGVrMREwDwYD VQQLEwhTZWN1cml0eTEQMA4GA1UEBxMHU2FwcG9ybzEeMBwGA1UEAxMVd2ViLmNh LmFzaWFjb210ZWsuY29tMScwJQYJKoZIhvcNAQkBFhhkZXZlbG9wZXJAYXNpYWNv bXRlay5jb20wHhcNMjEwNTI4MDE1OTQwWhcNMjYwNzE2MDE1OTQwWjBsMQswCQYD VQQGEwJKQTERMA8GA1UECBMISG9ra2FpZG8xEzARBgNVBAoTCkFzaWFDb210ZWsx ETAPBgNVBAsTCFNlY3VyaXR5MRAwDgYDVQQHEwdTYXBwb3JvMRAwDgYDVQQDEwdz YXBwb3JvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw1UskI3XemLG O31GjbJOdxyHChJAHdXOrPEXyhK368Z9s9fiv0/2bh0BLiAt0xDKhAGNIcOUHJmZ lJK1OCjamT0WEjMoh1ONzHK71ccYapJGLbBnra+Z/vKTIj/tph5atCiWrbvWpSaA ZO9P4iVrFudbIIcr//+I6THA01iZCnFdUfzfTGOpkutQPok/AnuEfJssFJcCiOU7 BV/LUxok2O9gbrPiNZ/rov8sj6Zw1uYxQWy0CI8jTobGxeQjr1y92IG5t43/Y8Kz ugfTIrINiN+YVZ4MLup4UCSLORr/hFCxxi3+38iC3ykDl0jug1wUigX2/oqSRB6d I6mqw7RcjwIDAQABo4IBcTCCAW0wNgYJYIZIAYb4QgENBCkWJ0FDIFg1MDkgQXV0 aG9yaXR5IEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUilspTG9+KbPF 7RUBhsK4m4m3YCkwHwYDVR0jBBgwFoAUHcmWhX7IyDlQKbGhlHKqixESeXIwgYsG A1UdHwSBgzCBgDA4oDagNIYyaHR0cDovL2NhLmFzaWFjb210ZWsuY29tL3dlYi5j YS5hc2lhY29tdGVrLmNvbS5jcmwwRKBCoECGPmh0dHA6Ly9jYS5hc2lhY29tdGVr LmNvbS9iLXg1MDkvY3Jscy93ZWIuY2EuYXNpYWNvbXRlay5jb20uY3JsMAkGA1Ud EwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMEcGA1UdEQRAMD6CGnNhcHBvcm8ubGFu LmFzaWFjb210ZWsuY29tgiBhZG1pbi5zYXBwb3JvLmxhbi5hc2lhY29tdGVrLmNv bTANBgkqhkiG9w0BAQsFAAOCAQEAinjO7pc08EdynA79sA0x89edt7QPOjhFaIG1 xmUdW5CvdWKacaNLkZyAT/pO58hNzwdvK5sCQaEk4UtF09kcKE8qTqHufd3b/8D8 WZnvZtT/mpxiAgbyeQO2rXTkWR5d6sGYvGKrRKa3N+en90Cx+q9rwtKf5rXemc+L 8XlYWRdgIA4gvITbGbGV3jl45s9VDveVxCFWX2RJTHSiRkan7+cTbQXdp5d1+0K9 24MPrR60sHnWEqcsL2m9lJQ7J2jXPG9BgfeN55yj/jS4p9BbNW7YHm468QrCXcSu 2sjBMpoNX602x0AyRSuc27jjdmW4+7NAiGivLisRsOzrwkEETQ== -----END CERTIFICATE----- Certificate bag Bag Attributes friendlyName: root subject=C = JA, ST = Hokkaido, L = Sapporo, O = Delphix, OU = Security, CN = root.ca.Delphix.com, emailAddress = noreply@delphix.com issuer=C = JA, ST = Hokkaido, L = Sapporo, O = Delphix, OU = Security, CN = root.ca.Delphix.com, emailAddress = noreply@delphix.com -----BEGIN CERTIFICATE----- MIIE9DCCA9ygAwIBAgIUFcxjmSjmE1MnKBGgI2G4j9Yq/8cwDQYJKoZIhvcNAQEL BQAwgaQxCzAJBgNVBAYTAkpBMREwDwYDVQQIEwhIb2trYWlkbzEQMA4GA1UEBxMH U2FwcG9ybzETMBEGA1UEChMKQXNpYUNvbXRlazERMA8GA1UECxMIU2VjdXJpdHkx HzAdBgNVBAMTFnJvb3QuY2EuYXNpYWNvbXRlay5jb20xJzAlBgkqhkiG9w0BCQEW GGRldmVsb3BlckBhc2lhY29tdGVrLmNvbTAeFw0yMTA1MjcwNzI3MTJaFw0zNjA1 MjMwNzI3MTJaMIGkMQswCQYDVQQGEwJKQTERMA8GA1UECBMISG9ra2FpZG8xEDAO BgNVBAcTB1NhcHBvcm8xEzARBgNVBAoTCkFzaWFDb210ZWsxETAPBgNVBAsTCFNl Y3VyaXR5MR8wHQYDVQQDExZyb290LmNhLmFzaWFjb210ZWsuY29tMScwJQYJKoZI hvcNAQkBFhhkZXZlbG9wZXJAYXNpYWNvbXRlay5jb20wggEiMA0GCSqGSIb3DQEB AQUAA4IBDwAwggEKAoIBAQDBb183J7we/p25DbllcjCWvLiauv14+zqrXehvvvHs Gx1bVvW5KQW6ZZU4BoCqFpagj5h5iZjWBx2+zPjU093B49UmFV5WJU991gbnYK1E YcChCzuq5E3wItXISQKzQK6Ug3g8cQ7GlWYwWuuZ8Q5LbkEkxk5P144ocQoZ+5Ki LkOEwb7D62W5DLqufQtF7r3XNalkrLDtkudhotS/GW2EdnblSw/6WjVoAVZyEu8c I52u31BlB1giZOY2+Hqgvn54PGNw80YGgUo62Zsmw+RzmrMiu9MVf9z0elhUuopX Vrf1Wzw0ByF0tDoTNFxqlGXSX30KdP9HL7GJhM0TWsyjAgMBAAGjggEaMIIBFjA2 BglghkgBhvhCAQ0EKRYnQUMgWDUwOSBBdXRob3JpdHkgR2VuZXJhdGVkIENlcnRp ZmljYXRlMB0GA1UdDgQWBBRmuvg3DWScYaLOXvsXHxNbHwZ5RjAfBgNVHSMEGDAW gBRmuvg3DWScYaLOXvsXHxNbHwZ5RjAMBgNVHRMEBTADAQH/MIGNBgNVHR8EgYUw gYIwOaA3oDWGM2h0dHA6Ly9jYS5hc2lhY29tdGVrLmNvbS9yb290LmNhLmFzaWFj b210ZWsuY29tLmNybDBFoEOgQYY/aHR0cDovL2NhLmFzaWFjb210ZWsuY29tL2It eDUwOS9jcmxzL3Jvb3QuY2EuYXNpYWNvbXRlay5jb20uY3JsMA0GCSqGSIb3DQEB CwUAA4IBAQAy9S8VBtyaejRcCTxKgfclLh9tMfqtHAHSYsicXsYKjwFBJw0UzI3q En7EKNdrsSJxlaTqLmHgMYjP3emp0FkgOITz/A7RqL1uvyQ4/w9AZMlRpq8WVmCS jUYwV5Rv6YZMhuXTWYEiOP4pq41IyeKpbwW0eSiu2cqByOUBBpkdFNbmXAe2JZnC FJrEJ2PGz92Re0sH+DwcJztG7ouzl2pna50jyRnznaF1g0/e9UqsB1a90WzHfI4k dmCvAUGfoG5qvtftdOhDLKtLgoCiIztCR90jTajrJ6z1+3suSHcCS+L3J2NslRO1 2yfWY+hb48rzMu4tJGOSgSvMp/I3RxLL -----END CERTIFICATE----- Certificate bag Bag Attributes friendlyName: intermediate1 subject=C = JA, ST = Hokkaido, O = Delphix, OU = Security, L = Sapporo, CN = web.ca.Delphix.com, emailAddress = noreply@delphix.com issuer=C = JA, ST = Hokkaido, L = Sapporo, O = Delphix, OU = Security, CN = root.ca.Delphix.com, emailAddress = noreply@delphix.com -----BEGIN CERTIFICATE----- MIIFGDCCBACgAwIBAgIEAJiWgDANBgkqhkiG9w0BAQsFADCBpDELMAkGA1UEBhMC SkExETAPBgNVBAgTCEhva2thaWRvMRAwDgYDVQQHEwdTYXBwb3JvMRMwEQYDVQQK EwpBc2lhQ29tdGVrMREwDwYDVQQLEwhTZWN1cml0eTEfMB0GA1UEAxMWcm9vdC5j YS5hc2lhY29tdGVrLmNvbTEnMCUGCSqGSIb3DQEJARYYZGV2ZWxvcGVyQGFzaWFj b210ZWsuY29tMB4XDTIxMDUyNzA3MzExN1oXDTMxMDUyNTA3MzExN1owgaMxCzAJ BgNVBAYTAkpBMREwDwYDVQQIEwhIb2trYWlkbzETMBEGA1UEChMKQXNpYUNvbXRl azERMA8GA1UECxMIU2VjdXJpdHkxEDAOBgNVBAcTB1NhcHBvcm8xHjAcBgNVBAMT FXdlYi5jYS5hc2lhY29tdGVrLmNvbTEnMCUGCSqGSIb3DQEJARYYZGV2ZWxvcGVy QGFzaWFjb210ZWsuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA sX//eexqIg0WCxBzkQk5ArCHgyrAqdsXX8oXbaEGTjPTGyqP/JuNTDH4J+vK8zP0 3SmJ9cicZtv1oTcSqG0sdAK/M2Lh4F4VaXQZP4x0NCynz2F2ieIqB2DJyHV201ym u+aGHCPdfWdxYgkbFFupmLJ54xLVsTACrD5eB8sd8Io2qNvnsz/tiFoXbyQ8AYbk MUKpa3Jdg4Kg/M9x05fBTMtAgdg8TP14E6GId4eoYBx7twi/eEgb3iLThgamb6/F /R6w9HyAzQnVqey+f719dHKoY00b8ggXnyz1+8sX+ouhvb91ndsWpms7xU2Z57QW vfnO8HBhpfFGb4FB/nSc7QIDAQABo4IBTzCCAUswNgYJYIZIAYb4QgENBCkWJ0FD IFg1MDkgQXV0aG9yaXR5IEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU HcmWhX7IyDlQKbGhlHKqixESeXIwHwYDVR0jBBgwFoAUZrr4Nw1knGGizl77Fx8T Wx8GeUYwgY0GA1UdHwSBhTCBgjA5oDegNYYzaHR0cDovL2NhLmFzaWFjb210ZWsu Y29tL3Jvb3QuY2EuYXNpYWNvbXRlay5jb20uY3JsMEWgQ6BBhj9odHRwOi8vY2Eu YXNpYWNvbXRlay5jb20vYi14NTA5L2NybHMvcm9vdC5jYS5hc2lhY29tdGVrLmNv bS5jcmwwDAYDVR0TBAUwAwEB/zARBglghkgBhvhCAQEEBAMCBFAwIAYDVR0RBBkw F4IVd2ViLmNhLmFzaWFjb210ZWsuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQCmx8Zk kSl9Hj+HBALYCuM9wE3bOAH9r/z35wuFXm9gH5yPHT7Nk4emRMkLBcTeJQERmH4s JYmENoBFidaHyZ4pjBggpuWIwbVmeixWrX4u9u8b2Hqt0Oek0xI/rBie/91dZVKG irDggtDkdYdWH/B+UhH/n3FScD3WRBIJoNFaVwBV1ZZTgpEXj3myEH7/D5JiQ/Mq lxkncEl/GixVsNFaX5pTPH4kY8fybF7P61OXpODA3wRm4N6rnPPKqTOfRda4IDBN vg4gqJiONJKaZjGSpkuY1DsxDUtZiAYo8gLzY756keWszhBHyYkmSZbO97QcbGDv /7CwNhcJmW6E551p -----END CERTIFICATE----- PKCS7 Data Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048 Bag Attributes friendlyName: tomcat localKeyID: 9E 9A 4E EE 05 96 B1 AD FE 9F A6 F2 CD C5 0E 7B 21 22 60 D5 Key Attributes: <No Attributes> Enter PEM pass phrase: Verifying - Enter PEM pass phrase: -----BEGIN ENCRYPTED PRIVATE KEY----- MIIPBgNVBAgTCEhva2thaWRvMRAwDgYDVQQHEwdTYXBwb3JvMRMwEQYDVQQK EwpBc2lhQ29tdGVrMREwDwYDVQQLEwhTZWN1cml0eTEfMB0GA1UEAxMWcm9vdC5j YS5hc2lhY29tdGVrLmNvbTEnMCUGCSqGSIb3DQEJARYYZGV2ZWxvcGVyQGFzaWFj b210ZWsuY29tMB4XDTIxMDUyNzA3MzExN1oXDTMxMDUyNTA3MzExN1owgaMxCzAJ BgNVBAYTAkpBMREwDwYDVQQIEwhIb2trYWlkbzETMBEGA1UEChMKQXNpYUNvbXRl azERMA8GA1UECxMIUSCOOBYDOONOTAREALKEYFOOBARhcHBvcm8xHjAcBgNVBAMT FXdlYi5jYS5hc2lhY29tdGVrLmNvbTEnMCUGCSqGSIb3DQEJARYYZGV2ZWxvcGVy QGFzaWFjb210ZWsuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA sX//eexqIg0WCxBzkQk5ArCHgyrAqdsXX8oXbaEGTjPTGyqP/JuNTDH4J+vK8zP0 3SmJ9cicZtv1oTcSqG0sdAK/M2Lh4F4VaXQZP4x0NCynz2F2ieIqB2DJyHV201ym u+aGHCPdfWdxYgkbFFupmLJ54xLVsTACrD5eB8sd8Io2qNvnsz/tiFoXbyQ8AYbk MUKpa3Jdg4Kg/M9x05fBTMtAgdg8TP14E6GId4eoYBx7twi/eEgb3iLThgamb6/F /R6w9HyAzQnVqey+f719dHKoY00b8ggXnyz1+8sX+ouhvb91ndsWpms7xU2Z57QW vfnO8HBhpfFGb4FB/nSc7QIDAQABo4IBTzCCAUswNgYJYIZIAYb4QgENBCkWJ0FD IFg1MDkgQXV0aG9yaXR5IEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU HcmWhX7IyDlQKbGhlHKqixESeXIwHwYDVR0jBBgwFoAUZrr4Nw1knGGizl77Fx8T Wx8GeUYwgY0GA1UdHwSBhTCBgjA5oDegNYYzaHR0cDovL2NhLmFzaWFjb210ZWsu Y29tL3Jvb3QuY2EuYXNpYWNvbXRlay5jb20uY3JsMEWgQ6BBhj9odHRwOi8vY2Eu YXNpYWNvbXRlay5jb20vYi14NTA5L2NybHMvcm9vdC5jYS5hc2lhY29tdGVrLmNv bS5jcmwwDAYDVR0TBAUwAwEB/zARBglghkgBhvhCAQEEBAMCBFAwIAYDVR0RBBkw F4IVd2ViLmNhLmFzaWFjb210ZWsuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQCmx8Zk kSl9Hj+HBALYCuM9wE3bOAH9r/z35wuFXm9gH5yPHT7Nk4emRMkLBcTeJQERmH4s JYmENoBFidaHyZ4pjBggpuWIwbVmeixWrX4u9u8b2Hqt0Oek0xI/rBie/91dZVKG irDggtDkdYdWH/B+UhH/n3FScD3WRBIJoNFaVwBV1ZZTgpEXj3myEH7/D5JiQ/Mq lxkncEl/GixVsNFaX5pTPH4kY8fybF7P61OXpODA3wRm4N6rnPPKqTOfRda4IDBN vg4gqJiONJKaZjGSpkuY1DsxDUtZiAYo8gLzY756keWszhBHyYkmSZbO97QcbGDv /7CwNhcJmW6E5510mg== -----END ENCRYPTED PRIVATE KEY-----
Unlike the JKS format, the PKCS#12 container does not extract and store the metadata for attributes such as SANs, validity periods, or other details. For this, you need to pass the raw PEM sections for the public and private keys to the openssl. Simply copy the base64 sections beginning with -----BEGIN CERTIFICATE-----
(including the dashes as shown) up to and including -----END CERTIFICATE-----
and save it to a plain text file with the *.pem extension. It is not usually required to extract and investigate private keys.
Related Articles
The following articles may provide more information or related information to this article: