Re: Request for Comment: adding chain info to keytool -list

Wed, 19 Jan 2011 01:44:17 -0800 

Oh, I have a design now. keytool -list -tree will show:

******************************************
* Chained entries
******************************************
b, PrivateKeyEntry
  + h, PrivateKeyEntry
    + f, PrivateKeyEntry
    + i, PrivateKeyEntry
[ca], TrustedCertificateEntry
  + "CN=j"
    + k, PrivateKeyEntry
"CN=a"
  + e, PrivateKeyEntry
  + d, PrivateKeyEntry
    + g, TrustedCertificateEntry
Non self signed:
  + "CN=l"
    + m, PrivateKeyEntry
******************************************
* Other entries:
******************************************
x, SecretKeyEntry

which means:

1. b signs h, h signs f and i. b, h, i, and f are aliases in this keystore.

2. [ca] is not in this keystore, but in cacerts.

3. "CN=j" is neither in this keystore or cacerts
4. b, [ca] and "CN=a" are all self-signed certs, which are listed at top level of the tree. "CN=l" is not a self-signed cert, so it's listed under "Not self signed". But we still know "CN=l" signs m. 

5. x is a SecretKeyEntry so not put inside chained entries.

Any suggestions?

Thanks
Max

On 01/18/2011 09:45 AM, Xuelei Fan wrote:

On 1/18/2011 9:40 AM, Weijun Wang wrote:

You mean a tree of the whole keystore, but not chain for each entry. Right?


Right.

Andrew


Max

On 01/18/2011 09:26 AM, Xuelei Fan wrote:

I would like to see a option to display the intuitive tree. For example:
$ keytool -list -tree -keystore ...
    + root CA alias
      + intermediate CA alias
        + entity cert 1 alias
        + entity cert 2 alias

Andrew

On 1/17/2011 4:59 PM, Weijun Wang wrote:

Hi All

I have a keystore with a bunch of testing root CA, intermediate CA and
entity certs, some PrivateKeyEntry and some TrustedCertEntry, and it's
quite difficult to know who signs who. Therefore I suggest some
enhancement for the simple "keytool -list". (by simple, I mean no "-v").

The entry will look like:

    user, Sep 6, 2007, PrivateKeyEntry, user - signer - rootca(self)

Here, "user - signer - bigca(self)" means the entry's cert chain has 3
certs, which matches aliases user, signer, and rootca in the same
keystore, and rootca is a self-signed cert.

When a cert is not inside this keystore, its distinguished name can be
printed, like this:

    user, Sep 6, 2007, PrivateKeyEntry, user - signer - "CN=Root
CA"(self)

Also, if the last cert is not self-signed, its signed can also be added
after "--", like this:

    user, Sep 6, 2007, PrivateKeyEntry,
                    user - signer -- "CN=Another CA"(self)

Do you find this useful?

Thanks
Max

Reply via email to