1. Overview
In this tutorial, we’ll learn to check certificate names and aliases in a Java keystore file using the Java KeyStore API and the keytool utility.
2. Setup
Before describing the two methods, let’s create a keystore file using the keytool utility:
$ keytool -genkeypair -keyalg rsa -alias baeldung -storepass storepw@1 -keystore my-keystore.jks
Note that having the ‘$’ character in the keystore password might cause some unexpected behavior when using the bash CLI since it’s interpreted as an environment variable.
Next, let’s provide the additional required information:
What is your first and last name?
[Unknown]: my-cn.localhost
What is the name of your organizational unit?
[Unknown]: Java Devs
What is the name of your organization?
[Unknown]: Baeldung
What is the name of your City or Locality?
[Unknown]: London
What is the name of your State or Province?
[Unknown]: Greater London
What is the two-letter country code for this unit?
[Unknown]: GB
Is CN=my-cn.localhost, OU=Java Devs, O=Baeldung, L=London, ST=Greater London, C=GB correct?
[no]: yes
Generating 2,048 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 90 days
for: CN=my-cn.localhost, OU=Java Devs, O=Baeldung, L=London, ST=Greater London, C=GB
Finally, let’s verify if the my-keystore.jks file was generated:
$ ls | grep my-keystore.jks
my-keystore.jks
We’re now ready to proceed to the two methods for checking certificate names and aliases in the generated keystore file.
3. Check Certificate Name and Alias Using Java KeyStore API
This method uses the Java KeyStore API and works for X509 certificates. First, let’s read the keystore file:
KeyStore readKeyStore() throws Exception {
KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
keystore.load(getClass().getResourceAsStream(KEYSTORE_FILE), KEYSTORE_PWD.toCharArray());
return keystore;
}
Next, let’s verify the scenario when a certificate with a matching alias and name is present in the keystore:
@Test
void whenCheckingAliasAndName_thenMatchIsFound() throws Exception {
KeyStore keystore = readKeyStore();
assertThat(keystore.containsAlias("baeldung")).isTrue();
X509Certificate x509Certificate =
(X509Certificate) keystore.getCertificate("baeldung");
String ownerName = x509Certificate.getSubjectX500Principal().getName();
assertThat(ownerName.contains("my-cn.localhost")).isTrue();
}
Finally, let’s validate the scenarios when a certificate with a given alias or name is not present in the keystore:
@Test
void whenCheckingAliasAndName_thenNameIsNotFound() throws Exception {
KeyStore keystore = readKeyStore();
assertThat(keystore.containsAlias("baeldung")).isTrue();
X509Certificate x509Certificate =
(X509Certificate) keystore.getCertificate("baeldung");
String ownerName = x509Certificate.getSubjectX500Principal().getName();
assertThat(ownerName.contains("commonName1")).isFalse();
}
@Test
void whenCheckingAliasAndName_thenAliasIsNotFound() throws Exception {
KeyStore keystore = readKeyStore();
assertThat(keystore.containsAlias("alias1")).isFalse();
}
The second method uses the keytool utility and the alias argument:
$ keytool -list -v -alias baeldung -keystore my-keystore.jks -storepass storepw@1 | grep my-cn.localhost
Owner: CN=my-cn.localhost, OU=Java Devs, O=Baeldung, L=London, ST=Greater London, C=GB
Issuer: CN=my-cn.localhost, OU=Java Devs, O=Baeldung, L=London, ST=Greater London, C=GB
Note that we’re also using the grep command to search for the certificate name. The command above returns an empty result when no match for the certificate alias and name is found.
5. Conclusion
In this tutorial, we’ve learned how to check certificate names and aliases in a Java keystore file using two methods. The first method uses the Java KeyStore API, whereas the latter uses the keytool utility. These methods prove useful when multiple keystore files are used, and we need to find the one for a specific alias and name.
As always, the complete code can be found over on GitHub.
