Request for Comment: adding chain info to keytool -list
Xuelei Fan
xuelei.fan at oracle.com
Tue Jan 18 01:26:07 UTC 2011
I would like to see a option to display the intuitive tree. For example:
$ keytool -list -tree -keystore ...
+ root CA alias
+ intermediate CA alias
+ entity cert 1 alias
+ entity cert 2 alias
Andrew
On 1/17/2011 4:59 PM, Weijun Wang wrote:
> Hi All
>
> I have a keystore with a bunch of testing root CA, intermediate CA and
> entity certs, some PrivateKeyEntry and some TrustedCertEntry, and it's
> quite difficult to know who signs who. Therefore I suggest some
> enhancement for the simple "keytool -list". (by simple, I mean no "-v").
>
> The entry will look like:
>
> user, Sep 6, 2007, PrivateKeyEntry, user - signer - rootca(self)
>
> Here, "user - signer - bigca(self)" means the entry's cert chain has 3
> certs, which matches aliases user, signer, and rootca in the same
> keystore, and rootca is a self-signed cert.
>
> When a cert is not inside this keystore, its distinguished name can be
> printed, like this:
>
> user, Sep 6, 2007, PrivateKeyEntry, user - signer - "CN=Root CA"(self)
>
> Also, if the last cert is not self-signed, its signed can also be added
> after "--", like this:
>
> user, Sep 6, 2007, PrivateKeyEntry,
> user - signer -- "CN=Another CA"(self)
>
> Do you find this useful?
>
> Thanks
> Max
>
>
More information about the security-dev
mailing list