1. Overview

In this tutorial, we’ll learn to check certificate names and aliases in a Java keystore file using the Java KeyStore API and the keytool utility.

2. Setup

Before describing the two methods, let’s create a keystore file using the keytool utility:

$ keytool -genkeypair -keyalg rsa -alias baeldung -storepass storepw@1 -keystore my-keystore.jks

Note that having the ‘$’ character in the keystore password might cause some unexpected behavior when using the bash CLI since it’s interpreted as an environment variable.

Next, let’s provide the additional required information:

What is your first and last name?
  [Unknown]:  my-cn.localhost
What is the name of your organizational unit?
  [Unknown]:  Java Devs
What is the name of your organization?
  [Unknown]:  Baeldung
What is the name of your City or Locality?
  [Unknown]:  London
What is the name of your State or Province?
  [Unknown]:  Greater London
What is the two-letter country code for this unit?
  [Unknown]:  GB
Is CN=my-cn.localhost, OU=Java Devs, O=Baeldung, L=London, ST=Greater London, C=GB correct?
  [no]:  yes

Generating 2,048 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 90 days
	for: CN=my-cn.localhost, OU=Java Devs, O=Baeldung, L=London, ST=Greater London, C=GB

Finally, let’s verify if the my-keystore.jks file was generated:

$ ls | grep my-keystore.jks
my-keystore.jks

We’re now ready to proceed to the two methods for checking certificate names and aliases in the generated keystore file.

3. Check Certificate Name and Alias Using Java KeyStore API

This method uses the Java KeyStore API and works for X509 certificates. First, let’s read the keystore file:

KeyStore readKeyStore() throws Exception {
    KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
    keystore.load(getClass().getResourceAsStream(KEYSTORE_FILE), KEYSTORE_PWD.toCharArray());
    return keystore;
}

Next, let’s verify the scenario when a certificate with a matching alias and name is present in the keystore:

@Test
void whenCheckingAliasAndName_thenMatchIsFound() throws Exception {
    KeyStore keystore = readKeyStore();

    assertThat(keystore.containsAlias("baeldung")).isTrue();

    X509Certificate x509Certificate = 
      (X509Certificate) keystore.getCertificate("baeldung");
    String ownerName = x509Certificate.getSubjectX500Principal().getName();
    assertThat(ownerName.contains("my-cn.localhost")).isTrue();
}

Finally, let’s validate the scenarios when a certificate with a given alias or name is not present in the keystore:

@Test
void whenCheckingAliasAndName_thenNameIsNotFound() throws Exception {
    KeyStore keystore = readKeyStore();

    assertThat(keystore.containsAlias("baeldung")).isTrue();

    X509Certificate x509Certificate = 
      (X509Certificate) keystore.getCertificate("baeldung");
    String ownerName = x509Certificate.getSubjectX500Principal().getName();
    assertThat(ownerName.contains("commonName1")).isFalse();
}

@Test
void whenCheckingAliasAndName_thenAliasIsNotFound() throws Exception {
    KeyStore keystore = readKeyStore();

    assertThat(keystore.containsAlias("alias1")).isFalse();
}

4. Check Certificate Name and Alias Using keytool Utility

The second method uses the keytool utility and the alias argument:

$ keytool -list -v -alias baeldung -keystore my-keystore.jks -storepass storepw@1 | grep my-cn.localhost
Owner: CN=my-cn.localhost, OU=Java Devs, O=Baeldung, L=London, ST=Greater London, C=GB
Issuer: CN=my-cn.localhost, OU=Java Devs, O=Baeldung, L=London, ST=Greater London, C=GB

Note that we’re also using the grep command to search for the certificate name. The command above returns an empty result when no match for the certificate alias and name is found.

5. Conclusion

In this tutorial, we’ve learned how to check certificate names and aliases in a Java keystore file using two methods. The first method uses the Java KeyStore API, whereas the latter uses the keytool utility. These methods prove useful when multiple keystore files are used, and we need to find the one for a specific alias and name.

As always, the complete code can be found over on GitHub.

Course – LSS (cat=Security/Spring Security)
announcement - icon

I just announced the new Learn Spring Security course, including the full material focused on the new OAuth2 stack in Spring Security:

>> CHECK OUT THE COURSE

res – Security (video) (cat=Security/Spring Security)
Comments are open for 30 days after publishing a post. For any issues past this date, use the Contact form on the site.