42

Is there a way in keytool to print the publick key of a certificate? I tried:

keytool -printcert -file client.crt

But it gives only the following information:

Owner: CN=client, OU=as, O=as, L=as, ST=as, C=as
Issuer: EMAILADDRESS=as, CN=ca, OU=as, O=as, L=as, ST=as, C=as
Serial number: 3
Valid from: Tue Apr 10 12:18:47 GMT+05:30 2012 until: Wed Apr 10 12:18:47 GMT+05
:30 2013
Certificate fingerprints:
         MD5:  26:C0:29:E9:8C:AB:C3:9E:95:38:74:8A:87:D3:86:8D
         SHA1: 5C:5A:BA:47:44:83:7E:CB:48:BE:DD:E5:39:51:24:42:C6:C5:60:8B
         SHA256: DA:26:B8:C8:F4:04:3E:62:F3:7F:3B:EC:1D:9F:85:66:28:00:45:55:66:
15:FF:BB:37:77:97:59:F0:EC:0B:B6
         Signature algorithm name: SHA1withRSA
         Version: 1

There is no public key in this.

tshepang
  • 12,111
  • 21
  • 91
  • 136
Ashwin
  • 12,691
  • 31
  • 118
  • 190
  • 1
    There is a way to use keytool with -list option to do this, but the accepted answer says to use openssl. Please refer the answer by Vlad Sankin below. – Nish Jan 19 '16 at 13:27

5 Answers5

72

You can do it with:

keytool -list -rfc -keystore mykeystore.jks -alias certificate_alias -storepass password

Example run:

PS c:\sample> keytool -list -rfc -keystore mykeystore.jks -alias cert_alias -storepass password
Alias name: cert_alias
Creation date: Apr 25, 2014
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
-----BEGIN CERTIFICATE-----
MIIB4zCCAUygAwIBAgIIRzI14w7rL20wDQYJKoZIhvcNAQENBQAwMzELMAkGA1UEBhMCVVMxDTAL
BgNVBAoTBE5vbmUxFTATBgNVBAMTDE5vbmUgb3U9Tm9uZTAgFw0xNDA0MjQxNzQ0NDJaGA8yMTE0
MDQyNTE3NDQ0MlowMzELMAkGA1UEBhMCVVMxDTALBgNVBAoTBE5vbmUxFTATBgNVBAMTDE5vbmUg
b3U9Tm9uZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAivXBBtFnJTm1NbHysv3Mnpn/lCg6
1onJDxr/jkvI8+1Bljs1jktyYOeKDWxJwpDU7QyIqttgtDvRT4Yaew5WiQyADIyY0cBTvp3S7uKx
M5C3zxZdG6WTflU7xcYnGk3/d0VhwA6BL9YPsRaS/K+ww1yvxWKIOPW68wDe0ccvGWcCAwEAATAN
BgkqhkiG9w0BAQ0FAAOBgQB/5qDMA9fmlCWlOD9aHjBD6I8zAOSshMCFK8XcZJHowag8WtZyL3DR
insx2HoDlBewIJAEtAplo2NpeFyNtK93PS7zV+vwEYHCu46Db3klMksp3MmSXD39QPlmwfsGZlja
K8Ww0TsR5GtccFMH41KKa+PlvVZNEdZumdrca59olQ==
-----END CERTIFICATE-----
Vlad Sankin
  • 803
  • 1
  • 6
  • 4
  • 2
    assuming openssl is not available and to answer the actual question (how to use keytool to print public key part). – Vlad Sankin Apr 25 '14 at 20:59
  • 14
    The question asked how to print the public key of the certificate. This output is the PEM encoded representation of the entire certificate. Public Key output would start with '-----BEGIN PUBLIC KEY-----' – Peter Long Nov 04 '14 at 14:29
  • 10
    2 years later I now realize @VladSankin was just describing how to get the certificate as a precursor to using openssl to extract the public key from it. So building on the accepted answer you could do something like `keytool -list -rfc -keystore mykeystore.jks -alias cert_alias -storepass password | openssl x509 -inform pem -pubkey -noout | openssl rsa -pubin -text -noout` – Peter Long Jul 19 '16 at 19:47
  • 1
    Why is the sample saying `PrivateKeyEntry` ? Is it the private key? – Kirill G. Sep 08 '16 at 07:05
  • 1
    It would be wonderful if you mention the documentation and purpose of -rfc argument of keytool – rogue lad Aug 23 '17 at 14:30
  • 1
    `-rfc` tells `keytool` to write the output certificate in `Base 64 encoding` form described in `RFC 1421 Certificate Encoding Standard` – David Oct 25 '19 at 04:10
  • thank you! `-rfc` looks like the option I am wanting – asgs Jul 29 '20 at 16:11
36

You can do that With openssl.

If this certificate is DER-encoded (binary), use:

openssl x509 -inform der -in client.crt -pubkey -noout

for PEM-encoded use -inform pem option (or no -inform at all).

To see details of public key, use:

openssl x509 -inform der -in client.crt -pubkey -noout | openssl rsa -pubin -text -noout
Grzegorz Grzybek
  • 6,152
  • 3
  • 29
  • 42
  • 1
    thanks for the answer. I am able to see the public key. But is there any way to do it in keytool? – Ashwin Apr 11 '12 at 11:45
  • There is a way to use keeytool with -list option to print, please refer answer from @Vlad Sankin – Nish Jan 19 '16 at 13:26
13

You can print the cert to pem format, then use openssl to print public key from the pem format.

  1. add -rfc option to -printcert

    keytool -printcert -rfc -file client.crt

  2. save the output like below to a file client.pem

    -----BEGIN CERTIFICATE----- MIIB4zCCAUygAwIBAgIIRzI14w7rL20wDQYJKoZIhvcNAQENBQAwMzELMAkGA1UEBhMCVVMxDTAL

    ......

    -----END CERTIFICATE-----

  3. then use openssl

    openssl x509 -inform pem -text -in client.pem

so you got the public key

byron he
  • 342
  • 2
  • 6
8

Keytool list rfc just prints the base64 encoded version of whole certificate, not the public key. Keytool doesn't support the printing the public key of Certificate. We can use openssl for this purpose.

Mouser
  • 13,132
  • 3
  • 28
  • 54
Hemanth AVS
  • 81
  • 1
  • 2
0
keytool -export -alias myalias -keystore mystore.jks  | openssl x509 -inform der -pubkey -noout
Maik
  • 310
  • 1
  • 11