Printing Certificate Data
Since Payara Server 5.193
The print-certificate is an offline command that prints data of the selected certificate.
The main reason for this command is that keytool output and especially distinguished names are not standardized - usually they use RFC 1779.
This command prints the certificate’s distinguished name in RFC 2253 format, which is used in Payara, so it can be directly used for role mapping when using client certificate authentication, for example:
<principal-name>CN=My Client,OU=Payara,O=Payara Foundation,L=Great Malvern,ST=Worcestershire,C=UK</principal-name>
Beside this the command prints other useful data about the certificate: - validity dates - serial number - version - issuer’s distinguished name - public key algorithm and size - signature algorithm including OID
The command supports only X.509 certificates in files with the following extensions: - keystores: p12, pkcs12, pfx, jks, jceks - PEM or DER encoded certificates: cer, cert, crt, der, pem
The further requirement is also the JVM support of the file type.
If the file contains more certificates, the command prints only the first one.
Usage
Options
| Type | Description | Default | Mandatory | |
|---|---|---|---|---|
file |
File |
File containing the certificate |
Yes |
|
certificatealias |
String |
If the file is a keystore, this is an alias used to access the certificate |
Only for keystore files |
|
providerclass |
Class |
Custom java.security.Provider class to be preferred in this command execution. |
No |
Errors
The command prints an error if - the file could not be read - the file extension is not supported by the command - the file type is not supported by the the JDK - the keystore password was not correct - the keystore does not contain certificate under the given alias - the certificate type is not supported
Examples
DER/PEM Encoded Certificate
This command prints the certificate:
asadmin print-certificate ./certificate.der Found Certificate: Subject: UID=LDAP-Test,EMAILADDRESS=nobody@nowhere.space,CN=PrintCertificateCommandTest,OU=Test Test\, Test,O=Payara Foundation,L=Pilsen,C=CZ Validity: Thu Aug 01 02:00:00 CEST 2019 - Fri Aug 02 02:00:00 CEST 2019 S/N: 1 Version: 3 Issuer: UID=LDAP-Test,EMAILADDRESS=nobody@nowhere.space,CN=PrintCertificateCommandTest,OU=Test Test\, Test,O=Payara Foundation,L=Pilsen,C=CZ Public Key: RSA, 2048 bits Sign. Alg.: SHA256withRSA (OID: 1.2.840.113549.1.1.11) Command print-certificate executed successfully.
Keystore
The following command asks for the password and prints the certificate:
asadmin print-certificate --certificatealias s1as ./keystore.p12 Keystore Password> Found Certificate: Subject: CN=localhost,OU=Payara,O=Payara Foundation,L=Great Malvern,ST=Worcestershire,C=UK Validity: Tue Aug 06 14:06:14 CEST 2019 - Fri Aug 03 14:06:14 CEST 2029 S/N: 886895448 Version: 3 Issuer: CN=localhost,OU=Payara,O=Payara Foundation,L=Great Malvern,ST=Worcestershire,C=UK Public Key: RSA, 2048 bits Sign. Alg.: SHA256withRSA (OID: 1.2.840.113549.1.1.11) Command print-certificate executed successfully.
Alternative Provider
Different providers can provide alternative certificate management, which can lead to differing outputs. In this example, we use the BouncyCastle library, which leads to one difference: uppercased signature algorithm name.
The asadmin command has it’s own classpath, so first you need to add the provider here.
cp .../bcprov-jdk15on-1.62.jar .../payara5/glassfish/lib/asadmin/ asadmin print-certificate --providerclass org.bouncycastle.jce.provider.BouncyCastleProvider ./certificate.der Found Certificate: Subject: UID=LDAP-Test,EMAILADDRESS=nobody@nowhere.space,CN=PrintCertificateCommandTest,OU=Test Test\, Test,O=Payara Foundation,L=Pilsen,C=CZ Validity: Thu Aug 01 02:00:00 CEST 2019 - Fri Aug 02 02:00:00 CEST 2019 S/N: 1 Version: 3 Issuer: UID=LDAP-Test,EMAILADDRESS=nobody@nowhere.space,CN=PrintCertificateCommandTest,OU=Test Test\, Test,O=Payara Foundation,L=Pilsen,C=CZ Public Key: RSA, 2048 bits Sign. Alg.: SHA256WITHRSA (OID: 1.2.840.113549.1.1.11) Command print-certificate executed successfully.