Verify certificate against Java certificate store via CLI

Question

How can I verify an X509 (or DER-formatted) certificate against the Java certificate store via the command line?

I've looked into using the keytool utility, but it looks like it only handles import/export/display functionality (no verification).

EDIT: It looks as though keytool can be used for verification, but only if an import is attempted. I suppose a better way of asking this questions is whether or not a more passive approach (as in: not modifying the keystore) is available. Thanks!

Answer 1

This page could be oversimplifying:

http://java.sun.com/docs/books/tutorial/security/toolfilex/rstep1.html

But it doesn't look like even import with keytool does a true verification of a certificate. I'm not seeing any description of verifying the signature of the incoming certificate against the signature of another trusted certificate.

jarsigner will verify a signature on a signed jar, but doesn't do anything to verify the signature on the certificate used to sign the jar.

I'm afraid you'd either have to write a tool to do the verfication, or look for a commercial tool that does it. I would think that some of the PKI tool kits would have a certificate verification tool that would do this.

Answer 2

You can use keytool to export the needed certificates (those that are in the chain for the one you need to verify) from the Java keystore into X.509 files. Then, concatenate them together into one file. Finally, use openssl to do the verification.

openssl verify -CAfile concatenated-certs.crt cert-to-verify.crt

Not a perfect solution since it involves popping the certs out of the truststore, but it ought to work given what you are starting with.