Printing Certificate Data

The print-certificate asadmin subcommand is useful to print legible and detailed information of one or multiple SSL certificate and key entries. Since the output generated by the standard keytool utility is not standardized (especially distinguished names since they usually they use RFC 1779), it is recommended to use this command instead. This command prints the certificate’s distinguished name in RFC 2253 format, which is used by the Payara Platform, so it can be directly used for principal and role mappings when using client certificate authentication, for example.

The command supports only X.509 certificates files with the following extensions:

  • Keystore format: p12, pkcs12, pfx, jks, jceks

  • PEM or DER encoded certificates: .cer, .cert, .crt, .der, .pem

If the file contains more certificates, the command prints only the first one.

Usage

The print-certificate is an offline command (doesn’t need a running domain or server instance as target) that prints data of a selected certificate in RFC 2253 format.

The details that are printed out by the command are the following :

  1. Validity dates

  2. Serial number

  3. Version

  4. Issuer’s distinguished name (DN)

  5. Public key’s algorithm and size

  6. Signature algorithm including OID

The command will not be successful in one of the following cases:

  1. The file cannot be read (permission issues or I/O errors)

  2. The file extension is not supported by the command

  3. The file type is not supported by the JDK

  4. The keystore password is not correct

  5. The keystore does not contain a certificate entry under the given alias

  6. The certificate type is not supported

Configuration

The following configuration options are available to the command:

Name

Type

Description

Default

Mandatory

Operand

File

File containing the certificate

true

certificatealias

String

If the file is a keystore, this is an alias used to access the certificate

true, for keystore files

providerclass

Class

Custom java.security.Provider class to be preferred in this command execution

false

Examples

DER/PEM Encoded Certificate

Here’s an example for printing a DER certificate with one entry:

asadmin print-certificate ./certificate.der

Found Certificate:
Subject:    UID=LDAP-Test,EMAILADDRESS=nobody@nowhere.space,CN=PrintCertificateCommandTest,OU=Test Test\, Test,O=Payara Foundation,L=Pilsen,C=CZ
Validity:   Thu Aug 01 02:00:00 CEST 2019 - Fri Aug 02 02:00:00 CEST 2019
S/N:        1
Version:    3
Issuer:     UID=LDAP-Test,EMAILADDRESS=nobody@nowhere.space,CN=PrintCertificateCommandTest,OU=Test Test\, Test,O=Payara Foundation,L=Pilsen,C=CZ
Public Key: RSA, 2048 bits
Sign. Alg.: SHA256withRSA (OID: 1.2.840.113549.1.1.11)
Command print-certificate executed successfully.

Keystore

Here’s an example for printing a specific certificate using a P12 format keystore:

asadmin print-certificate --certificatealias s1as ./keystore.p12

Keystore Password>
Found Certificate:
Subject:    CN=localhost,OU=Payara,O=Payara Foundation,L=Great Malvern,ST=Worcestershire,C=UK
Validity:   Tue Aug 06 14:06:14 CEST 2019 - Fri Aug 03 14:06:14 CEST 2029
S/N:        886895448
Version:    3
Issuer:     CN=localhost,OU=Payara,O=Payara Foundation,L=Great Malvern,ST=Worcestershire,C=UK
Public Key: RSA, 2048 bits
Sign. Alg.: SHA256withRSA (OID: 1.2.840.113549.1.1.11)
Command print-certificate executed successfully.

Alternative Provider

It is possible to plugin a different java.security.Provider implementation to get different outputs when running the print-certificate command. In this example, we use the BouncyCastle library, which leads to one significant difference: A highlighted, uppercase signature’s algorithm name.

#Copy the library to the asadmin lib directory first
cp .../bcprov-jdk15on-1.62.jar .../payara5/glassfish/lib/asadmin/

#Then run the command
asadmin print-certificate --providerclass org.bouncycastle.jce.provider.BouncyCastleProvider ./certificate.der

Found Certificate:
Subject:    UID=LDAP-Test,EMAILADDRESS=nobody@nowhere.space,CN=PrintCertificateCommandTest,OU=Test Test\, Test,O=Payara Foundation,L=Pilsen,C=CZ
Validity:   Thu Aug 01 02:00:00 CEST 2019 - Fri Aug 02 02:00:00 CEST 2019
S/N:        1
Version:    3
Issuer:     UID=LDAP-Test,EMAILADDRESS=nobody@nowhere.space,CN=PrintCertificateCommandTest,OU=Test Test\, Test,O=Payara Foundation,L=Pilsen,C=CZ
Public Key: RSA, 2048 bits
Sign. Alg.: SHA256WITHRSA (OID: 1.2.840.113549.1.1.11)
Command print-certificate executed successfully.
The asadmin command has its own classpath, so first you need to add the provider’s library to the asadmin utility’s classpath as shown above.