Java cacerts


Cacerts are default Trust store provided by every JVM vendor. We will see this cacerts file under JRE/lib/security folder. 

Cacerts are also known as Java Standard Trust Store which hold all public certificates.

Now we can list this Trust keystore we can see different digital certificates, to open this store we need to give default store password as "changeit".



Let's list cacerts.


./jdk1.7.0_71/bin/keytool -list -keystore jdk1.7.0_71/jre/lib/security/cacerts -storepass changeit
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 87 entries

digicertassuredidrootca, Apr 16, 2008, trustedCertEntry,
Certificate fingerprint (SHA1): 05:63:B8:63:0D:62:D7:5A:BB:C8:AB:1E:4B:DF:B5:A8:99:B2:4D:43
trustcenterclass2caii, Apr 29, 2008, trustedCertEntry,
Certificate fingerprint (SHA1): AE:50:83:ED:7C:F4:5C:BC:8F:61:C6:21:FE:68:5D:79:42:21:15:6E
thawtepremiumserverca, Dec 12, 2009, trustedCertEntry,
Certificate fingerprint (SHA1): E0:AB:05:94:20:72:54:93:05:60:62:02:36:70:F7:CD:2E:FC:66:66
swisssignplatinumg2ca, Oct 31, 2008, trustedCertEntry,
Certificate fingerprint (SHA1): 56:E0:FA:C0:3B:8F:18:23:55:18:E5:D3:11:CA:E8:C2:43:31:AB:66
swisssignsilverg2ca, Oct 31, 2008, trustedCertEntry,
.
.
.
.
.
.



Now above case we have list all 87 certificates which shows certificate type and creation type.


To get more details individual certificate we can pass -v verbose option check this one.


./jdk1.7.0_71/bin/keytool -list -keystore jdk1.7.0_71/jre/lib/security/cacerts -storepass changeit -v
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 87 entries

Alias name: digicertassuredidrootca
Creation date: Apr 16, 2008
Entry type: trustedCertEntry

Owner: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Issuer: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Serial number: ce7e0e517d846fe8fe560fc1bf03039
Valid from: Fri Nov 10 05:30:00 IST 2006 until: Mon Nov 10 05:30:00 IST 2031
Certificate fingerprints:
     MD5:  87:CE:0B:7B:2A:0E:49:00:E1:58:71:9B:37:A8:93:72
     SHA1: 05:63:B8:63:0D:62:D7:5A:BB:C8:AB:1E:4B:DF:B5:A8:99:B2:4D:43
     SHA256: 3E:90:99:B5:01:5E:8F:48:6C:00:BC:EA:9D:11:1E:E7:21:FA:BA:35:5A:89:BC:F1:DF:69:56:1E:3D:C6:32:5C
     Signature algorithm name: SHA1withRSA
     Version: 3

Extensions:

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 45 EB A2 AF F4 92 CB 82   31 2D 51 8B A7 A7 21 9D  E.......1-Q...!.
0010: F3 6D C8 0F                                        .m..
]
]

#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#3: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_CertSign
  Crl_Sign
]

#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 45 EB A2 AF F4 92 CB 82   31 2D 51 8B A7 A7 21 9D  E.......1-Q...!.
0010: F3 6D C8 0F                                        .m..
]
]



*******************************************
*******************************************


In above pattern we can see few details like creation date, expiry date, Certificate signature, Issued by ,Owner and its extensions.

No comments:

Post a Comment