keytool -list -v 和 keytool -list return 不同的输出
keytool -list -v and keytool -list return different outputs
当我执行这条命令时:
keytool -list -keystore %JAVA_HOME%/jre
/lib/security/cacerts
我收到了这个输出:
ascom-ws, 27.05.2016, trustedCertEntry,
Certificate fingerprint (SHA1): 0D:45:B8:00:6D:94:81:DB:4F:60:D4:6E:E5:3B:5D:F6:B9:4C:D2:F9
据我了解此证书是 SHA1 证书。
但是当我执行这个命令时:
keytool -list -v -keystore %JAVA_HOME%/jre
/lib/security/cacerts
我收到这个输出:
Alias name: ascom-ws
Creation date: 27.05.2016
Entry type: trustedCertEntry
Owner: CN=*.ascom-ws.com, O=Ascom (Sweden) AB, L=Gothenburg, ST=Gothenburg, C=SE
Issuer: CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Serial number: fb34f8c44b6d2cb3f92593f8fe7e67d
Valid from: Tue Oct 06 02:00:00 CEST 2015 until: Fri Dec 14 13:00:00 CET 2018
Certificate fingerprints:
MD5: A4:8E:49:4F:2C:10:C6:94:80:C5:6A:DC:13:72:CF:F0
SHA1: 0D:45:B8:00:6D:94:81:DB:4F:60:D4:6E:E5:3B:5D:F6:B9:4C:D2:F9
SHA256: 2D:24:07:41:C0:1B:9D:70:DF:CB:13:0A:C9:18:1B:A4:12:25:B7:53:C7:99:09:ED:2F:E2:CA:12:3A:BF:F8:4A
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://ocsp.digicert.com
,
accessMethod: caIssuers
accessLocation: URIName: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt
]
]
#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 51 68 FF 90 AF 02 07 75 3C CC D9 65 64 62 A2 12 Qh.....u<..edb..
0010: B8 59 72 3B .Yr;
]
]
#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl3.digicert.com/sha2-ha-server-g4.crl]
, DistributionPoint:
[URIName: http://crl4.digicert.com/sha2-ha-server-g4.crl]
]]
#5: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.114412.1.1]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 64 69 ..https://www.di
0010: 67 69 63 65 72 74 2E 63 6F 6D 2F 43 50 53 gicert.com/CPS
]] ]
[CertificatePolicyId: [2.23.140.1.2.2]
[] ]
]
#6: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
#7: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
#8: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: *.ascom-ws.com
DNSName: ascom-ws.com
]
#9: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 67 8B 3F 98 ED 79 21 03 59 95 82 CC FE 4A EA DF g.?..y!.Y....J..
0010: F8 C3 55 7C ..U.
]
]
据我了解此证书是 SHA2 证书。那正确吗?
指纹不定义证书类型,是整个证书的DER格式(SHA-1,MD5...等)的散列(一种方式),要知道证书签名类型参考签名算法名称(public密钥+摘要算法)在这种情况下你是对的,你的证书签名是SHA2签名(SHA256与RSA public密钥)但是您的证书类型是带有 RSA public 密钥的(可信证书条目)x509。
当您更详细地查看时,您会发现当您使用详细选项 -v 时,您也会得到没有详细选项的结果:
Certificate fingerprints:
MD5: A4:8E:49:4F:2C:10:C6:94:80:C5:6A:DC:13:72:CF:F0
---> SHA1: 0D:45:B8:00:6D:94:81:DB:4F:60:D4:6E:E5:3B:5D:F6:B9:4C:D2:F9
SHA256: 2D:24:07:41:C0:1B:9D:70:DF:CB:13:0A:C9:18:1B:A4:12:25:B7:53:C7:99:09:ED:2F:E2:CA:12:3A:BF:F8:4A
Signature algorithm name: SHA256withRSA
Version: 3
-v 选项实际上只显示更多信息。
所以可以看到这里的签名算法是SHA256withRSA
但签名不是证书类型。
该证书可能是 X.509 证书
当我执行这条命令时:
keytool -list -keystore %JAVA_HOME%/jre
/lib/security/cacerts
我收到了这个输出:
ascom-ws, 27.05.2016, trustedCertEntry,
Certificate fingerprint (SHA1): 0D:45:B8:00:6D:94:81:DB:4F:60:D4:6E:E5:3B:5D:F6:B9:4C:D2:F9
据我了解此证书是 SHA1 证书。
但是当我执行这个命令时:
keytool -list -v -keystore %JAVA_HOME%/jre
/lib/security/cacerts
我收到这个输出:
Alias name: ascom-ws
Creation date: 27.05.2016
Entry type: trustedCertEntry
Owner: CN=*.ascom-ws.com, O=Ascom (Sweden) AB, L=Gothenburg, ST=Gothenburg, C=SE
Issuer: CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Serial number: fb34f8c44b6d2cb3f92593f8fe7e67d
Valid from: Tue Oct 06 02:00:00 CEST 2015 until: Fri Dec 14 13:00:00 CET 2018
Certificate fingerprints:
MD5: A4:8E:49:4F:2C:10:C6:94:80:C5:6A:DC:13:72:CF:F0
SHA1: 0D:45:B8:00:6D:94:81:DB:4F:60:D4:6E:E5:3B:5D:F6:B9:4C:D2:F9
SHA256: 2D:24:07:41:C0:1B:9D:70:DF:CB:13:0A:C9:18:1B:A4:12:25:B7:53:C7:99:09:ED:2F:E2:CA:12:3A:BF:F8:4A
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://ocsp.digicert.com
,
accessMethod: caIssuers
accessLocation: URIName: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt
]
]
#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 51 68 FF 90 AF 02 07 75 3C CC D9 65 64 62 A2 12 Qh.....u<..edb..
0010: B8 59 72 3B .Yr;
]
]
#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl3.digicert.com/sha2-ha-server-g4.crl]
, DistributionPoint:
[URIName: http://crl4.digicert.com/sha2-ha-server-g4.crl]
]]
#5: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.114412.1.1]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 64 69 ..https://www.di
0010: 67 69 63 65 72 74 2E 63 6F 6D 2F 43 50 53 gicert.com/CPS
]] ]
[CertificatePolicyId: [2.23.140.1.2.2]
[] ]
]
#6: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
#7: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
#8: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: *.ascom-ws.com
DNSName: ascom-ws.com
]
#9: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 67 8B 3F 98 ED 79 21 03 59 95 82 CC FE 4A EA DF g.?..y!.Y....J..
0010: F8 C3 55 7C ..U.
]
]
据我了解此证书是 SHA2 证书。那正确吗?
指纹不定义证书类型,是整个证书的DER格式(SHA-1,MD5...等)的散列(一种方式),要知道证书签名类型参考签名算法名称(public密钥+摘要算法)在这种情况下你是对的,你的证书签名是SHA2签名(SHA256与RSA public密钥)但是您的证书类型是带有 RSA public 密钥的(可信证书条目)x509。
当您更详细地查看时,您会发现当您使用详细选项 -v 时,您也会得到没有详细选项的结果:
Certificate fingerprints:
MD5: A4:8E:49:4F:2C:10:C6:94:80:C5:6A:DC:13:72:CF:F0
---> SHA1: 0D:45:B8:00:6D:94:81:DB:4F:60:D4:6E:E5:3B:5D:F6:B9:4C:D2:F9
SHA256: 2D:24:07:41:C0:1B:9D:70:DF:CB:13:0A:C9:18:1B:A4:12:25:B7:53:C7:99:09:ED:2F:E2:CA:12:3A:BF:F8:4A
Signature algorithm name: SHA256withRSA
Version: 3
-v 选项实际上只显示更多信息。
所以可以看到这里的签名算法是SHA256withRSA
但签名不是证书类型。
该证书可能是 X.509 证书