How to get the certificate details like issuer/serial number/validity for java app instances
search cancel

How to get the certificate details like issuer/serial number/validity for java app instances

book

Article ID: 403741

calendar_today

Updated On:

Products

VMware Tanzu Application Service

Issue/Introduction

In a Java application, a keystore is a secure storage mechanism used to hold cryptographic keys and certificates. It plays a central role in enabling secure communication, especially over protocols like HTTPS or when using SSL/TLS.

Retrieving certificate metadata like the issuer, serial number, and validity period from a keystore isn’t just good hygiene—it’s foundational to secure and reliable system operations. It can prevent outages caused by expired certificates in containers or service endpoints, or help enable automated alerts or dashboards by integrating with monitoring tools.

This article shares procedures to get the certificate details like issuer/serial number/validity for Java applications running on platform.

 

Resolution

1.) For a Java app, if the keystore is injected into the default location, it can be found at 

/home/vcap/app/.java-buildpack/open_jdk_jre/lib/security/cacerts

Or if a customized location is specified, you might need to discuss with developers to double-check.

2.) Once the keystore file is identified inside the app instance, it needs to be copied out of the container to a Linux jumpbox. The reason is a utility called "keytool" is not available inside the app instance and we need this tool to generate issuer/serial number/validity of the certificate. This can be done by referring to Method #4 in this article. https://knowledge.broadcom.com/external/article/297436/how-to-generate-and-download-java-applic.html

To retrieve via SCP, do the following. If the default location is not used, replace "/home/vcap/app/.java-buildpack/open_jdk_jre/lib/security/cacerts" with your customized path.

  1. Run cf ssh-code to get a one-time access code for SSH into your container.
  2. Get the SSH endpoint to use. Run cf curl /v2/info | grep app_ssh_endpoint
  3. Obtain the App GUID for your app. Run cf app APP_NAME --guid
  4. Download the heap dump with scp -P 2222 -o User=cf:<your-app-guid>/<app-index> <SSH-endpoint>:/home/vcap/app/.java-buildpack/open_jdk_jre/lib/security/cacerts cacerts.jks. Make sure to substitute your app guid, the app index and the SSH endpoint that you retrieved from steps 2 and 3.

3.) The default password is "changeit" and we can use the following command to get the certificate details like issuer/serial number/validity.

keytool -list -v -keystore cacerts -storepass changeit|egrep "Alias|Issuer|Serial|Valid"

Here is an example.

da####@Y6####QK Downloads % keytool -list -v -keystore cacerts.jks -storepass changeit|egrep "Alias|Issuer|Serial|Valid"
Alias name: actalisauthenticationrootca [jdk]
Issuer: CN=Actalis Authentication Root CA, O=Actalis S.p.A./03358520967, L=Milan, C=IT
Serial number: 57####cc
Valid from: Thu Sep 22 19:22:02 CST 2011 until: Sun Sep 22 19:22:02 CST 2030
Alias name: af####ca [jdk]
Issuer: CN=AffirmTrust Commercial, O=AffirmTrust, C=US
Serial number: 77####7c
Valid from: Fri Jan 29 22:06:06 CST 2010 until: Tue Dec 31 22:06:06 CST 2030
.
.
.
Powered by Wolken Software