Verify certificate against Java certificate store via CLI

Brian picture Brian · Jan 13, 2009 · Viewed 18.2k times · Source

How can I verify an X509 (or DER-formatted) certificate against the Java certificate store via the command line?

I've looked into using the keytool utility, but it looks like it only handles import/export/display functionality (no verification).

EDIT: It looks as though keytool can be used for verification, but only if an import is attempted. I suppose a better way of asking this questions is whether or not a more passive approach (as in: not modifying the keystore) is available. Thanks!

Answer

bhavanki picture bhavanki · Jan 23, 2009

You can use keytool to export the needed certificates (those that are in the chain for the one you need to verify) from the Java keystore into X.509 files. Then, concatenate them together into one file. Finally, use openssl to do the verification.

openssl verify -CAfile concatenated-certs.crt cert-to-verify.crt

Not a perfect solution since it involves popping the certs out of the truststore, but it ought to work given what you are starting with.