How to print the public key of a certificate using keytool?

java certificate keytool

89,919

Solution 1

You can do that With openssl.

If this certificate is DER-encoded (binary), use:

openssl x509 -inform der -in client.crt -pubkey -noout

for PEM-encoded use -inform pem option (or no -inform at all).

To see details of public key, use:

openssl x509 -inform der -in client.crt -pubkey -noout | openssl rsa -pubin -text -noout

Solution 2

You can do it with:

keytool -list -rfc -keystore mykeystore.jks -alias certificate_alias -storepass password

Example run:

PS c:\sample> keytool -list -rfc -keystore mykeystore.jks -alias cert_alias -storepass password
Alias name: cert_alias
Creation date: Apr 25, 2014
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
-----BEGIN CERTIFICATE-----
MIIB4zCCAUygAwIBAgIIRzI14w7rL20wDQYJKoZIhvcNAQENBQAwMzELMAkGA1UEBhMCVVMxDTAL
BgNVBAoTBE5vbmUxFTATBgNVBAMTDE5vbmUgb3U9Tm9uZTAgFw0xNDA0MjQxNzQ0NDJaGA8yMTE0
MDQyNTE3NDQ0MlowMzELMAkGA1UEBhMCVVMxDTALBgNVBAoTBE5vbmUxFTATBgNVBAMTDE5vbmUg
b3U9Tm9uZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAivXBBtFnJTm1NbHysv3Mnpn/lCg6
1onJDxr/jkvI8+1Bljs1jktyYOeKDWxJwpDU7QyIqttgtDvRT4Yaew5WiQyADIyY0cBTvp3S7uKx
M5C3zxZdG6WTflU7xcYnGk3/d0VhwA6BL9YPsRaS/K+ww1yvxWKIOPW68wDe0ccvGWcCAwEAATAN
BgkqhkiG9w0BAQ0FAAOBgQB/5qDMA9fmlCWlOD9aHjBD6I8zAOSshMCFK8XcZJHowag8WtZyL3DR
insx2HoDlBewIJAEtAplo2NpeFyNtK93PS7zV+vwEYHCu46Db3klMksp3MmSXD39QPlmwfsGZlja
K8Ww0TsR5GtccFMH41KKa+PlvVZNEdZumdrca59olQ==
-----END CERTIFICATE-----

Solution 3

You can print the cert to pem format, then use openssl to print public key from the pem format.

add -rfc option to -printcert

keytool -printcert -rfc -file client.crt
save the output like below to a file client.pem

-----BEGIN CERTIFICATE----- MIIB4zCCAUygAwIBAgIIRzI14w7rL20wDQYJKoZIhvcNAQENBQAwMzELMAkGA1UEBhMCVVMxDTAL

......

-----END CERTIFICATE-----
then use openssl

openssl x509 -inform pem -text -in client.pem

so you got the public key

Solution 4

Keytool list rfc just prints the base64 encoded version of whole certificate, not the public key. Keytool doesn't support the printing the public key of Certificate. We can use openssl for this purpose.

View more solutions

89,919

Author by

Ashwin

https://github.com/ashwinbhaskar

Updated on July 09, 2022

Comments

Ashwin almost 2 years

Is there a way in keytool to print the publick key of a certificate? I tried:

keytool -printcert -file client.crt

But it gives only the following information:

Owner: CN=client, OU=as, O=as, L=as, ST=as, C=as
Issuer: EMAILADDRESS=as, CN=ca, OU=as, O=as, L=as, ST=as, C=as
Serial number: 3
Valid from: Tue Apr 10 12:18:47 GMT+05:30 2012 until: Wed Apr 10 12:18:47 GMT+05
:30 2013
Certificate fingerprints:
         MD5:  26:C0:29:E9:8C:AB:C3:9E:95:38:74:8A:87:D3:86:8D
         SHA1: 5C:5A:BA:47:44:83:7E:CB:48:BE:DD:E5:39:51:24:42:C6:C5:60:8B
         SHA256: DA:26:B8:C8:F4:04:3E:62:F3:7F:3B:EC:1D:9F:85:66:28:00:45:55:66:
15:FF:BB:37:77:97:59:F0:EC:0B:B6
         Signature algorithm name: SHA1withRSA
         Version: 1

There is no public key in this.

Ashwin about 12 years

thanks for the answer. I am able to see the public key. But is there any way to do it in keytool?
Vlad Sankin about 10 years

assuming openssl is not available and to answer the actual question (how to use keytool to print public key part).
Peter Long over 9 years

The question asked how to print the public key of the certificate. This output is the PEM encoded representation of the entire certificate. Public Key output would start with '-----BEGIN PUBLIC KEY-----'
Jonas Andersson almost 9 years

Without intermediate file: keytool -list -rfc --keystore ./path_to_keystore.jks | openssl x509 -inform pem -pubkey
Nish over 8 years

There is a way to use keeytool with -list option to print, please refer answer from @Vlad Sankin
Peter Long almost 8 years

2 years later I now realize @VladSankin was just describing how to get the certificate as a precursor to using openssl to extract the public key from it. So building on the accepted answer you could do something like keytool -list -rfc -keystore mykeystore.jks -alias cert_alias -storepass password | openssl x509 -inform pem -pubkey -noout | openssl rsa -pubin -text -noout
Kirill G. almost 8 years

Why is the sample saying PrivateKeyEntry ? Is it the private key?
rogue lad almost 7 years

It would be wonderful if you mention the documentation and purpose of -rfc argument of keytool
David over 4 years

-rfc tells keytool to write the output certificate in Base 64 encoding form described in RFC 1421 Certificate Encoding Standard
asgs almost 4 years

thank you! -rfc looks like the option I am wanting