Request for Comment: adding chain info to keytool -list

Weijun Wang weijun.wang at oracle.com
Wed Jan 19 09:34:26 UTC 2011 

Oh, I have a design now. keytool -list -tree will show:

******************************************
* Chained entries
******************************************
b, PrivateKeyEntry
   + h, PrivateKeyEntry
     + f, PrivateKeyEntry
     + i, PrivateKeyEntry
[ca], TrustedCertificateEntry
   + "CN=j"
     + k, PrivateKeyEntry
"CN=a"
   + e, PrivateKeyEntry
   + d, PrivateKeyEntry
     + g, TrustedCertificateEntry
Non self signed:
   + "CN=l"
     + m, PrivateKeyEntry
******************************************
* Other entries:
******************************************
x, SecretKeyEntry

which means:

1. b signs h, h signs f and i. b, h, i, and f are aliases in this keystore.

2. [ca] is not in this keystore, but in cacerts.

3. "CN=j" is neither in this keystore or cacerts

4. b, [ca] and "CN=a" are all self-signed certs, which are listed at top 
level of the tree. "CN=l" is not a self-signed cert, so it's listed 
under "Not self signed". But we still know "CN=l" signs m.

5. x is a SecretKeyEntry so not put inside chained entries.

Any suggestions?

Thanks
Max

On 01/18/2011 09:45 AM, Xuelei Fan wrote:
> On 1/18/2011 9:40 AM, Weijun Wang wrote:
>> You mean a tree of the whole keystore, but not chain for each entry. Right?
>>
> Right.
>
> Andrew
>
>> Max
>>
>> On 01/18/2011 09:26 AM, Xuelei Fan wrote:
>>> I would like to see a option to display the intuitive tree. For example:
>>> $ keytool -list -tree -keystore ...
>>>     + root CA alias
>>>       + intermediate CA alias
>>>         + entity cert 1 alias
>>>         + entity cert 2 alias
>>>
>>> Andrew
>>>
>>> On 1/17/2011 4:59 PM, Weijun Wang wrote:
>>>> Hi All
>>>>
>>>> I have a keystore with a bunch of testing root CA, intermediate CA and
>>>> entity certs, some PrivateKeyEntry and some TrustedCertEntry, and it's
>>>> quite difficult to know who signs who. Therefore I suggest some
>>>> enhancement for the simple "keytool -list". (by simple, I mean no "-v").
>>>>
>>>> The entry will look like:
>>>>
>>>>     user, Sep 6, 2007, PrivateKeyEntry, user - signer - rootca(self)
>>>>
>>>> Here, "user - signer - bigca(self)" means the entry's cert chain has 3
>>>> certs, which matches aliases user, signer, and rootca in the same
>>>> keystore, and rootca is a self-signed cert.
>>>>
>>>> When a cert is not inside this keystore, its distinguished name can be
>>>> printed, like this:
>>>>
>>>>     user, Sep 6, 2007, PrivateKeyEntry, user - signer - "CN=Root
>>>> CA"(self)
>>>>
>>>> Also, if the last cert is not self-signed, its signed can also be added
>>>> after "--", like this:
>>>>
>>>>     user, Sep 6, 2007, PrivateKeyEntry,
>>>>                     user - signer -- "CN=Another CA"(self)
>>>>
>>>> Do you find this useful?
>>>>
>>>> Thanks
>>>> Max
>>>>
>>>>
>>>
>

More information about the security-dev mailing list