Request for Comment: adding chain info to keytool -list
Xuelei Fan
xuelei.fan at oracle.com
Tue Jan 18 01:45:27 UTC 2011
On 1/18/2011 9:40 AM, Weijun Wang wrote:
> You mean a tree of the whole keystore, but not chain for each entry. Right?
>
Right.
Andrew
> Max
>
> On 01/18/2011 09:26 AM, Xuelei Fan wrote:
>> I would like to see a option to display the intuitive tree. For example:
>> $ keytool -list -tree -keystore ...
>> + root CA alias
>> + intermediate CA alias
>> + entity cert 1 alias
>> + entity cert 2 alias
>>
>> Andrew
>>
>> On 1/17/2011 4:59 PM, Weijun Wang wrote:
>>> Hi All
>>>
>>> I have a keystore with a bunch of testing root CA, intermediate CA and
>>> entity certs, some PrivateKeyEntry and some TrustedCertEntry, and it's
>>> quite difficult to know who signs who. Therefore I suggest some
>>> enhancement for the simple "keytool -list". (by simple, I mean no "-v").
>>>
>>> The entry will look like:
>>>
>>> user, Sep 6, 2007, PrivateKeyEntry, user - signer - rootca(self)
>>>
>>> Here, "user - signer - bigca(self)" means the entry's cert chain has 3
>>> certs, which matches aliases user, signer, and rootca in the same
>>> keystore, and rootca is a self-signed cert.
>>>
>>> When a cert is not inside this keystore, its distinguished name can be
>>> printed, like this:
>>>
>>> user, Sep 6, 2007, PrivateKeyEntry, user - signer - "CN=Root
>>> CA"(self)
>>>
>>> Also, if the last cert is not self-signed, its signed can also be added
>>> after "--", like this:
>>>
>>> user, Sep 6, 2007, PrivateKeyEntry,
>>> user - signer -- "CN=Another CA"(self)
>>>
>>> Do you find this useful?
>>>
>>> Thanks
>>> Max
>>>
>>>
>>
More information about the security-dev
mailing list