Verify certificate against Java certificate store via CLI

19,291

Solution 1

This page could be oversimplifying:

http://java.sun.com/docs/books/tutorial/security/toolfilex/rstep1.html

But it doesn't look like even import with keytool does a true verification of a certificate. I'm not seeing any description of verifying the signature of the incoming certificate against the signature of another trusted certificate.

jarsigner will verify a signature on a signed jar, but doesn't do anything to verify the signature on the certificate used to sign the jar.

I'm afraid you'd either have to write a tool to do the verfication, or look for a commercial tool that does it. I would think that some of the PKI tool kits would have a certificate verification tool that would do this.

Solution 2

You can use keytool to export the needed certificates (those that are in the chain for the one you need to verify) from the Java keystore into X.509 files. Then, concatenate them together into one file. Finally, use openssl to do the verification.

openssl verify -CAfile concatenated-certs.crt cert-to-verify.crt

Not a perfect solution since it involves popping the certs out of the truststore, but it ought to work given what you are starting with.

Share:
19,291

Related videos on Youtube

Brian
Author by

Brian

I'm interested in various aspects of coding, as well as integrating technology into everyday life via DIY projects. SOreadytohelp

Updated on January 24, 2020

Comments

  • Brian
    Brian over 4 years

    How can I verify an X509 (or DER-formatted) certificate against the Java certificate store via the command line?

    I've looked into using the keytool utility, but it looks like it only handles import/export/display functionality (no verification).

    EDIT: It looks as though keytool can be used for verification, but only if an import is attempted. I suppose a better way of asking this questions is whether or not a more passive approach (as in: not modifying the keystore) is available. Thanks!

  • Brian
    Brian over 14 years
    I think you're right that Keytool won't support what I'm trying to do. We ended up opting to make our own util, especially since Keytool isn't signed and we want to be able to verify the executable prior to running it.
  • G__
    G__ about 12 years
    This worked for me, but note that openssl wants PEM formatted certs and not DER (which is what keytool seems to use by default)
  • Nicholas DiPiazza
    Nicholas DiPiazza about 3 years
    sharing that util would be super awesome!

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related