Mister PKI

SSL Certificates * SSL Tools * Certificate Decoder

by Leave a Comment

What is Java keytool?

The Java keytool is a command-line utility used to manage keystores in different formats containing keys and certificates. You can use the java keytool printcert command to print and view a certificate on a server or in a file. In many respects, the java keytool is a competing utility with openssl for keystore, key, and certificate management.

Why use the Java keytool to print certs (keytool -printcert), print CRLs (keytool -printcrl), or print CSRs (keytool -printcsr)?

You may want to print a certificate to see the PEM encoding in a human-readable format. The same for a certificate signing request or certificate revocation list. You may also wish to view the chain of certificates be returned on a server in which case you will use the -sslserver option.

What keytool command do I use to print a certificate in PEM format?

Use this command to print a certificate from a file:

keytool -printcert \
> -rfc \
> -file example.crt \
> -v

Use this command to print a certificate from a server:

keytool -printcert \
> -rfc \
> -sslserver example.com:443 \
> -v

-rfc – Print the certificate in PEM format.

-file – The filename of the certificate. Note that -file and -sslserver are to be used separately and not in the same command.

-sslserver – The host and port of the server. Note that -file and -sslserver are to be used separately and not in the same command.

-v – Verbose.

keytool printcert
keytool printcert

What keytool command do I use to print a Certificate Signing Request (CSR)?

keytool -printcertreq \
> -file example.csr \
> -v

See the above options section for a description of each flag.

What keytool command do I use to print a Certificate Revocation List (CRL)?

keytool -printcrl \
> -file example.crl \
> -v

See the above options section for a description of each flag.

Here are the official keytool docs to dive further into how to print a certificate, print a Certificate Revocation List or CRL, or print a Certificate Signing Request or CSR with java keytool. https://docs.oracle.com/javase/10/tools/keytool.htm#GUID-5990A2E4-78E3-47B7-AE75-6D1826259549__DISPLAYDATA-507D2B01

Read all of our blog content.

Reader Interactions

Leave a Reply

Your email address will not be published.