15 January 2013

How To List All Certificates in the JDK cacerts File

Lately I've been working on a project that requires the use of SSL and therefore certificates. While working though the necessary tasks, I became curious about the number of certificates that exist in the default truststore in the JDK for Mac OS X (it's named cacerts). Well using Java's keytool utility it's easy to take a peek at them. Here's how to list them:
$ echo 'changeit' | keytool -list -v -keystore $(find $JAVA_HOME -name cacerts) | grep 'Owner:'
Enter keystore password:  Owner: CN=TWCA Root Certification Authority, OU=Root CA, O=TAIWAN-CA, C=TW
Owner: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
Owner: CN=NetLock Uzleti (Class B) Tanusitvanykiado, OU=Tanusitvanykiadok, O=NetLock Halozatbiztonsagi Kft., L=Budapest, C=HU
Owner: CN=Certum Trusted Network CA, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL
Owner: CN=Wells Fargo Root Certificate Authority, OU=Wells Fargo Certification Authority, O=Wells Fargo, C=US
Owner: CN=Chambers of Commerce Root, OU=http://www.chambersign.org, O=AC Camerfirma SA CIF A82743287, C=EU
Owner: CN=Global Chambersign Root, OU=http://www.chambersign.org, O=AC Camerfirma SA CIF A82743287, C=EU
Owner: OU=RSA Security 2048 V3, O=RSA Security Inc
...
This results in a tremendous amount of output hence the grep to list just the owner. According to this method of listing the certs in the default truststore, there are 183. I just glanced through the list and they seem to come from CAs all over the world. I wonder how it was determined which certs to place in the default truststore?

No comments:

Post a Comment