Printing Certificate Data
The print-certificate
asadmin subcommand is useful to print legible and detailed information of one or multiple SSL certificate and key entries.
Since the output generated by the standard keytool
utility is not standardized (especially distinguished names since they usually they use RFC 1779), it is recommended to use this command instead.
This command prints the certificate’s distinguished name in RFC 2253 format, which is used by the Payara Platform, so it can be directly used for principal and role mappings when using client certificate authentication, for example.
The command supports only X.509 certificates files with the following extensions:
-
Keystore format:
p12
,pkcs12
,pfx
,jks
,jceks
-
PEM or DER encoded certificates:
.cer
,.cert
,.crt
,.der
,.pem
If the file contains more certificates, the command prints only the first one. |
Usage
The print-certificate
is an offline command (it doesn’t need a running domain or server instance as target) that prints data of a selected certificate in RFC 2253 format.
The details that are printed out by the command are the following :
-
Validity dates
-
Serial number
-
Version
-
Issuer’s distinguished name (DN)
-
Public key’s algorithm and size
-
Signature algorithm including OI
The command will not be successful in one of the following cases:
-
The file cannot be read (permission issues or I/O errors)
-
The file extension is not supported by the command
-
The file type is not supported by the JDK
-
The keystore password is not correct
-
The keystore does not contain a certificate entry under the given alias
-
The certificate type is not supported
See the print-certificate
documentation in the Command Reference for more information on its structure.
Examples
DER/PEM Encoded Certificate
Here’s an example for printing a DER certificate with one entry:
asadmin print-certificate ./certificate.der
Found Certificate:
Subject: UID=LDAP-Test,EMAILADDRESS=nobody@nowhere.space,CN=PrintCertificateCommandTest,OU=Test Test\, Test,O=Payara Foundation,L=Pilsen,C=CZ
Validity: Thu Aug 01 02:00:00 CEST 2019 - Fri Aug 02 02:00:00 CEST 2019
S/N: 1
Version: 3
Issuer: UID=LDAP-Test,EMAILADDRESS=nobody@nowhere.space,CN=PrintCertificateCommandTest,OU=Test Test\, Test,O=Payara Foundation,L=Pilsen,C=CZ
Public Key: RSA, 2048 bits
Sign. Alg.: SHA256withRSA (OID: 1.2.840.113549.1.1.11)
Command print-certificate executed successfully.
Keystore
Here’s an example for printing a specific certificate using a P12 format keystore:
asadmin print-certificate --certificatealias s1as ./keystore.p12
Keystore Password>
Found Certificate:
Subject: CN=localhost,OU=Payara,O=Payara Foundation,L=Great Malvern,ST=Worcestershire,C=UK
Validity: Tue Aug 06 14:06:14 CEST 2019 - Fri Aug 03 14:06:14 CEST 2029
S/N: 886895448
Version: 3
Issuer: CN=localhost,OU=Payara,O=Payara Foundation,L=Great Malvern,ST=Worcestershire,C=UK
Public Key: RSA, 2048 bits
Sign. Alg.: SHA256withRSA (OID: 1.2.840.113549.1.1.11)
Command print-certificate executed successfully.
Alternative Provider
It is possible to plug a different java.security.Provider
implementation to get different outputs when running the print-certificate
command.
In this example, we use the BouncyCastle third-party security provider, which leads to one significant difference: A highlighted, uppercase signature’s algorithm name.
#Copy the library to the asadmin lib directory first
cp bcprov-jdk15on-1.62.jar ./payara6/glassfish/lib/asadmin/
#Then run the command
asadmin print-certificate --providerclass org.bouncycastle.jce.provider.BouncyCastleProvider ./certificate.der
Found Certificate:
Subject: UID=LDAP-Test,EMAILADDRESS=nobody@nowhere.space,CN=PrintCertificateCommandTest,OU=Test Test\, Test,O=Payara Foundation,L=Pilsen,C=CZ
Validity: Thu Aug 01 02:00:00 CEST 2019 - Fri Aug 02 02:00:00 CEST 2019
S/N: 1
Version: 3
Issuer: UID=LDAP-Test,EMAILADDRESS=nobody@nowhere.space,CN=PrintCertificateCommandTest,OU=Test Test\, Test,O=Payara Foundation,L=Pilsen,C=CZ
Public Key: RSA, 2048 bits
Sign. Alg.: SHA256WITHRSA (OID: 1.2.840.113549.1.1.11)
Command print-certificate executed successfully.
The asadmin command has its own classpath, so first you need to add the provider’s library to the asadmin utility’s classpath as shown above. |