Request for Comment: adding chain info to keytool -list
Weijun Wang
weijun.wang at oracle.com
Mon Jan 17 08:59:04 UTC 2011
Hi All
I have a keystore with a bunch of testing root CA, intermediate CA and
entity certs, some PrivateKeyEntry and some TrustedCertEntry, and it's
quite difficult to know who signs who. Therefore I suggest some
enhancement for the simple "keytool -list". (by simple, I mean no "-v").
The entry will look like:
user, Sep 6, 2007, PrivateKeyEntry, user - signer - rootca(self)
Here, "user - signer - bigca(self)" means the entry's cert chain has 3
certs, which matches aliases user, signer, and rootca in the same
keystore, and rootca is a self-signed cert.
When a cert is not inside this keystore, its distinguished name can be
printed, like this:
user, Sep 6, 2007, PrivateKeyEntry, user - signer - "CN=Root CA"(self)
Also, if the last cert is not self-signed, its signed can also be added
after "--", like this:
user, Sep 6, 2007, PrivateKeyEntry,
user - signer -- "CN=Another CA"(self)
Do you find this useful?
Thanks
Max
More information about the security-dev
mailing list