I am using linux and I want to remove reference of the certificate e.g alias from cacerts
file, which is a collection of trusted certificate authority (CA) certificates. But I don't remember the name of the alias.
Below is JDK information
openjdk version "11.0.12" 2021-07-20 LTS
OpenJDK Runtime Environment Corretto-11.0.12.7.1 (build 11.0.12 7-LTS)
OpenJDK 64-Bit Server VM Corretto-11.0.12.7.1 (build 11.0.12 7-LTS, mixed mode)
When I list the entries form cacerts with keytool, it shows below type of output.
keytool -list -keystore /etc/pki/ca-trust/extracted/java/cacerts -storepass changeit
Output
verisignclass3publicprimarycertificationauthority-g3, Apr 2, 2020, trustedCertEntry, Certificate fingerprint (SHA-256): EB:04:CF:5E:B1:F3:9A:FA:76:2F:2B:B1:20:F2:96:CB:A5:20:C1:B9:7D:B1:58:95:65:B8:1C:B9:A1:7B:72:44 verisignclass3publicprimarycertificationauthority-g4, Apr 2, 2020, trustedCertEntry, Certificate fingerprint (SHA-256): 69:DD:D7:EA:90:BB:57:C9:3E:13:5D:C8:5E:A6:FC:D5:48:0B:60:32:39:BD:C4:54:FC:75:8B:2A:26:CF:7F:79 verisignclass3publicprimarycertificationauthority-g5, Apr 2, 2020, trustedCertEntry, Certificate fingerprint (SHA-256): 9A:CF:AB:7E:43:C8:D8:80:D0:6B:26:2A:94:DE:EE:E4:B4:65:99:89:C3:D0:CA:F1:9B:AF:64:05:E4:1A:B7:DF verisignuniversalrootcertificationauthority, Apr 2, 2020, trustedCertEntry, Certificate fingerprint (SHA-256): 23:99:56:11:27:A5:71:25:DE:8C:EF:EA:61:0D:DF:2F:A0:78:B5:C8:06:7F:4E:82:82:90:BF:B8:60:E8:4B:3C xrampglobalcaroot, Apr 2, 2020, trustedCertEntry, Certificate fingerprint (SHA-256): CE:CD:DC:90:50:99:D8:DA:DF:C5:B1:D2:09:B7:37:CB:E2:C1:8C:FB:2C:10:C0:FF:0B:CF:0D:32:86:FC:1A:A2
My question is that how can I remove alias from cacerts
file, when I don't remember the alias name. Is there any other pointer, using which I know which entry to delete from cacerts
.
CodePudding user response:
The fact you're mentioning /etc/pki/ca-trust/extracted/java/cacerts
suggests you're using a cacerts
file managed by your Linux distribution (presumably based on RedHat/CentOS).
Removing the specific certificate from that cacerts
file is indeed possible with keytool
manually. However, it's likely to be re-generated, and possibly placed back into that file the next time update-ca-trust
is executed automatically (e.g. package upgrade) or not.
When using the distribution-managed cacerts
file, it's generally better to use the distribution's mechanism.
On RedHat/CentOS-based distributions, this can be done by managing individual certificates in /etc/pki/ca-trust/source/anchors/
and using update-ca-trust
.
On Debian/Ubuntu-based distributions, there is an equivalent with certificates in /usr/share/ca-certificates
, assuming the ca-certificates-java
package is installed (and then, you can run update-ca-certificates
).
As a side-note, you've tagged your question with client-certificate
.
Client-certificates (and more so their matching private key, i.e. PrivateKeyEntry
entries) normally don't belong in the cacerts
file at all, which is a "keystore" used as a "truststore" (typically used as the default truststore for all Java applications running on that system). Those belong to a "keystore used as a keystore", not a "keystore used as a truststore" (which shouldn't contain private keys).
CodePudding user response:
If you want to delete certificate reference from cacerts entries via alias name and forgot the alias name, then another pointer from cacerts file is the Certificate fingerprints. Check the fingerprints from the certificate and find the fingerprints from cacerts entries. Here is a full example. First list the entries from the certificate keystore.
keytool -list -keystore ./keystore.pfx
It will show output like this:
Keystore type: PKCS12 Keystore provider: SUN
Your keystore contains 1 entry
te-b6b910d1-a1e2-4a51-b3c8-2c0199d393a3, Dec 7, 2022, PrivateKeyEntry, Certificate fingerprint (SHA-256): 37:01:C3:18:96:D9:54:A3:F6:B6:75:39:2A:5C:61:F9:EF:41:21:4C:E5:BF:6B:37:70:6C:EB:4F:50:3F:90:EB
Note down fingerprint value, i.e 37:01:C3:18:96:D9:54:A3:F6:B6:75:39:2A:5C:61:F9:EF:41:21:4C:E5:BF:6B:37:70:6C:EB:4F:50:3F:90:EB
Now list down cacerts entries in a text file.
keytool -list -keystore /etc/pki/ca-trust/extracted/java/cacerts -storepass changeit > output.txt
Now open the text file with some editor, e.g vi or vim or nano, and find the fingerprint value. In this file you will see below two lines
mykey, May 20, 2022, trustedCertEntry,
Certificate fingerprint (SHA-256): 37:01:C3:18:96:D9:54:A3:F6:B6:75:39:2A:5C:61:F9:EF:41:21:4C:E5:BF:6B:37:70:6C:EB:4F:50:3F:90:EB
Now you have found the alias name i.e mykey. So you can delete the certificate entry to cacerts with below command
keytool -delete -alias mykey -keystore /etc/pki/ca-trust/extracted/java/cacerts -storepass changeit --noprompt
if you run the above command again, it will show below error
keytool error: java.lang.Exception: Alias <mykey> does not exist.
So with this example, now you are able to find the alias name from cacerts using fingerprints and able to delete the alias from cacerts entries.