How to print the public key of a certificate using keytool?
Solution 1
You can do that With openssl
.
If this certificate is DER-encoded (binary), use:
openssl x509 -inform der -in client.crt -pubkey -noout
for PEM-encoded use -inform pem
option (or no -inform
at all).
To see details of public key, use:
openssl x509 -inform der -in client.crt -pubkey -noout | openssl rsa -pubin -text -noout
Solution 2
You can do it with:
keytool -list -rfc -keystore mykeystore.jks -alias certificate_alias -storepass password
Example run:
PS c:\sample> keytool -list -rfc -keystore mykeystore.jks -alias cert_alias -storepass password
Alias name: cert_alias
Creation date: Apr 25, 2014
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
-----BEGIN CERTIFICATE-----
MIIB4zCCAUygAwIBAgIIRzI14w7rL20wDQYJKoZIhvcNAQENBQAwMzELMAkGA1UEBhMCVVMxDTAL
BgNVBAoTBE5vbmUxFTATBgNVBAMTDE5vbmUgb3U9Tm9uZTAgFw0xNDA0MjQxNzQ0NDJaGA8yMTE0
MDQyNTE3NDQ0MlowMzELMAkGA1UEBhMCVVMxDTALBgNVBAoTBE5vbmUxFTATBgNVBAMTDE5vbmUg
b3U9Tm9uZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAivXBBtFnJTm1NbHysv3Mnpn/lCg6
1onJDxr/jkvI8+1Bljs1jktyYOeKDWxJwpDU7QyIqttgtDvRT4Yaew5WiQyADIyY0cBTvp3S7uKx
M5C3zxZdG6WTflU7xcYnGk3/d0VhwA6BL9YPsRaS/K+ww1yvxWKIOPW68wDe0ccvGWcCAwEAATAN
BgkqhkiG9w0BAQ0FAAOBgQB/5qDMA9fmlCWlOD9aHjBD6I8zAOSshMCFK8XcZJHowag8WtZyL3DR
insx2HoDlBewIJAEtAplo2NpeFyNtK93PS7zV+vwEYHCu46Db3klMksp3MmSXD39QPlmwfsGZlja
K8Ww0TsR5GtccFMH41KKa+PlvVZNEdZumdrca59olQ==
-----END CERTIFICATE-----
Solution 3
You can print the cert to pem format, then use openssl to print public key from the pem format.
add
-rfc
option to -printcertkeytool -printcert -rfc -file client.crt
save the output like below to a file client.pem
-----BEGIN CERTIFICATE----- MIIB4zCCAUygAwIBAgIIRzI14w7rL20wDQYJKoZIhvcNAQENBQAwMzELMAkGA1UEBhMCVVMxDTAL
......
-----END CERTIFICATE-----
then use openssl
openssl x509 -inform pem -text -in client.pem
so you got the public key
Solution 4
Keytool list rfc just prints the base64 encoded version of whole certificate, not the public key. Keytool doesn't support the printing the public key of Certificate. We can use openssl for this purpose.
Comments
-
Ashwin almost 2 years
Is there a way in keytool to print the publick key of a certificate? I tried:
keytool -printcert -file client.crt
But it gives only the following information:
Owner: CN=client, OU=as, O=as, L=as, ST=as, C=as Issuer: EMAILADDRESS=as, CN=ca, OU=as, O=as, L=as, ST=as, C=as Serial number: 3 Valid from: Tue Apr 10 12:18:47 GMT+05:30 2012 until: Wed Apr 10 12:18:47 GMT+05 :30 2013 Certificate fingerprints: MD5: 26:C0:29:E9:8C:AB:C3:9E:95:38:74:8A:87:D3:86:8D SHA1: 5C:5A:BA:47:44:83:7E:CB:48:BE:DD:E5:39:51:24:42:C6:C5:60:8B SHA256: DA:26:B8:C8:F4:04:3E:62:F3:7F:3B:EC:1D:9F:85:66:28:00:45:55:66: 15:FF:BB:37:77:97:59:F0:EC:0B:B6 Signature algorithm name: SHA1withRSA Version: 1
There is no public key in this.
-
Ashwin about 12 yearsthanks for the answer. I am able to see the public key. But is there any way to do it in keytool?
-
Vlad Sankin about 10 yearsassuming openssl is not available and to answer the actual question (how to use keytool to print public key part).
-
Peter Long over 9 yearsThe question asked how to print the public key of the certificate. This output is the PEM encoded representation of the entire certificate. Public Key output would start with '-----BEGIN PUBLIC KEY-----'
-
Jonas Andersson almost 9 yearsWithout intermediate file: keytool -list -rfc --keystore ./path_to_keystore.jks | openssl x509 -inform pem -pubkey
-
Nish over 8 yearsThere is a way to use keeytool with -list option to print, please refer answer from @Vlad Sankin
-
Peter Long almost 8 years2 years later I now realize @VladSankin was just describing how to get the certificate as a precursor to using openssl to extract the public key from it. So building on the accepted answer you could do something like
keytool -list -rfc -keystore mykeystore.jks -alias cert_alias -storepass password | openssl x509 -inform pem -pubkey -noout | openssl rsa -pubin -text -noout
-
Kirill G. almost 8 yearsWhy is the sample saying
PrivateKeyEntry
? Is it the private key? -
rogue lad almost 7 yearsIt would be wonderful if you mention the documentation and purpose of -rfc argument of keytool
-
David over 4 years
-rfc
tellskeytool
to write the output certificate inBase 64 encoding
form described inRFC 1421 Certificate Encoding Standard
-
asgs almost 4 yearsthank you!
-rfc
looks like the option I am wanting