Verify certificate against Java certificate store via CLI

java certificate verification keystore keytool
Brian picture Brian · Jan 13, 2009 · Viewed 18.2k times · Source

How can I verify an X509 (or DER-formatted) certificate against the Java certificate store via the command line?

I've looked into using the keytool utility, but it looks like it only handles import/export/display functionality (no verification).

EDIT: It looks as though keytool can be used for verification, but only if an import is attempted. I suppose a better way of asking this questions is whether or not a more passive approach (as in: not modifying the keystore) is available. Thanks!

Answer

bhavanki picture bhavanki · Jan 23, 2009

You can use keytool to export the needed certificates (those that are in the chain for the one you need to verify) from the Java keystore into X.509 files. Then, concatenate them together into one file. Finally, use openssl to do the verification.

openssl verify -CAfile concatenated-certs.crt cert-to-verify.crt

Not a perfect solution since it involves popping the certs out of the truststore, but it ought to work given what you are starting with.

Related questions

How to import a .cer certificate into a java keystore?

During the development of a Java webservice client I ran into a problem. Authentication for the webservice is using a client certificate, a username and a password. The client certificate I received from the company behind the webservice is in .…

Read More
Trusting all certificates using HttpClient over HTTPS

Recently posted a question regarding the HttpClient over Https (found here). I've made some headway, but I've run into new issues. As with my last problem, I can't seem to find an example anywhere that works for me. Basically, I …

Read More
How to fix the "java.security.cert.CertificateException: No subject alternative names present" error?

I have a Java web service client, which consumes a web service via HTTPS. import javax.xml.ws.Service; @WebServiceClient(name = "ISomeService", targetNamespace = "http://tempuri.org/", wsdlLocation = "...") public class ISomeService extends Service { public ISomeService() { super(__getWsdlLocation(), ISOMESERVICE_QNAME); } When I …

Read More