keytool list certs is the Java keytool command using -list to display entries in a keystore, showing aliases and optionally the full certificate chain with -v.
keytool -list -keystore /path/to/keystore -storepass changeitSyntax
keytool -list [-v] [-alias <alias>] [-keystore <keystore-path>] [-storetype <type>] [-storepass <password>] [-providerName <name>] [-J<java-option>]Tested on OpenJDK 17.0.6 (Java SE 17) with keytool 17.0.6 on Ubuntu 22.04.
Options and Flags
| Flag | Type | Default | Description |
|---|---|---|---|
-list |
Action | Required | Lists entries in the keystore. Without -v, shows aliases only. |
-v |
Boolean | Off | Verbose output: shows full certificate chain (owner, issuer, serial, fingerprints, validity). |
-alias |
String | All aliases | Filters listing to a single alias. Must match a stored alias exactly. |
-keystore |
Path | $HOME/.keystore (JKS) or system cacerts |
Path to the keystore file. |
-storetype |
String | Detected from file (e.g., jks, pkcs12) |
Explicitly set keystore type. Use pkcs12 for .p12/.pfx files. |
-storepass |
String | Prompts if omitted | Keystore password. Warning: passing on command line exposes the password in process lists. |
-providerName |
String | SunJCE or default provider | Specify cryptographic provider for non-standard keystore types. |
-J |
String | N/A | Pass a JVM option directly (e.g., -J-Djava.security.debug=all). |
Usage Examples
1. List all aliases in a JKS keystore
keytool -list -keystore /etc/ssl/certs/java/cacerts -storepass changeitDisplays a flat list of aliases (certificate nicknames) in the default Java trust store. The password for the cacerts file is normally changeit on OpenJDK distributions. Useful to verify whether a particular CA or intermediate certificate is present.
2. Show certificate chain for a specific alias
keytool -list -v -alias my-server -keystore server.jks -storepass s3cr3tOutputs the full X.509 certificate chain for the alias my-server, including the owner (CN), issuer, serial number, validity dates, and SHA-256 fingerprint. The -v flag is critical for validating certificate properties before deployment.
3. List aliases in a PKCS12 keystore without password prompt (non-interactive)
keytool -list -storetype pkcs12 -keystore app.p12 -storepass "$P12_PASS" 2>/dev/null | grep -E "^[a-z]"Pipeline to extract only alias names from the listing. The 2>/dev/null suppresses the “WARNING: PKCS12 keystore password should not be a JKS password” warning. This pattern is used in CI/CD pipelines to check for expected aliases.
4. Export current list of aliases to file for inventory
keytool -list -keystore truststore.jks -storepass trustpass | grep -E "^S+" > aliases.txtCaptures the alias list into aliases.txt. Each line is an alias name. Useful for diffing keystore contents across environments or tracking certificate rotations.
Troubleshooting & Common Errors
| Error Message | Root Cause | Resolution Command |
|---|---|---|
keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect |
Wrong password or the keystore file is corrupted. |
|
java.security.KeyStoreException: PKCS12 not found |
Missing -storetype pkcs12 when listing a .p12 file. |
|
keytool error: java.lang.Exception: Alias <name> does not exist |
Spelling mismatch or alias not present in keystore. |
|
keytool: command not found |
Java not installed or $JAVA_HOME/bin not in PATH. |
|
Warning: PKCS12 keystore password should not be a JKS password |
Using -storepass with PKCS12; all PKCS12 passwords are valid. |
Harmless warning. Silence with 2>/dev/null if needed. |
Frequently Asked Questions
What is the difference between -list with -v and without it in keytool?
Answer: -list -v displays detailed certificate fingerprints, issuer, and validity; -list only shows alias names and entry types.
Without -v, output is one line per alias (e.g., mycert, PrivateKeyEntry). Use -list -v for certificate chain inspection, SHA-256 fingerprints, and expiration dates. Example:
keytool -list -v -keystore /etc/ssl/certs/java/cacerts -storepass changeitWhen should I use the -rfc flag with keytool -list?
Answer: Use -rfc to export certificates in PEM (RFC 1421) format for direct use in web servers or OpenSSL.
Without -rfc, output is binary DER encoded. -rfc prints each certificate as a base64-encoded block with -----BEGIN CERTIFICATE----- headers. Combine with -alias for a single cert:
keytool -list -rfc -alias myapp -keystore keystore.jks -storepass s3cr3t > myapp.pemHow do I fix java.io.IOException: Keystore was tampered with, or password was incorrect when running keytool -list?
Answer: Verify the keystore password; if forgotten, the keystore is unrecoverable.
This error indicates a password mismatch or corrupted keystore. For JKS format, no password recovery exists. Use -storepass with the correct phrase. On Linux, check cacerts with:
keytool -list -keystore $JAVA_HOME/lib/security/cacerts -storepass changeitIf corrupted, restore from a backup or reinstall the JDK.
Does keytool -list work on AWS, Azure, or GCP cloud environments?
Answer: Yes, keytool works on any OS where Java is installed, including Linux VMs on AWS, Azure, and GCP.
It is not cloud-specific; it depends on the Java Runtime. On containerized platforms (e.g., Docker), ensure the image includes OpenJDK. For managed services (AWS Certificate Manager, Azure Key Vault), use native CLI tools like aws acm or az keyvault to manage certs. Keytool is used locally for JKS/PKCS12 files.
What is the fastest way to list all certificate aliases and their expiration dates from a PKCS12 keystore using keytool?
Answer: Use keytool -list -v -keystore file.
Example one-liner for quick audit:
keytool -list -v -keystore server.p12 -storetype PKCS12 -storepass pass | grep -E "Alias name:|Valid from:"To output only alias and expiration date, use awk to format lines. For JKS, omit -storetype.
Command Line Expert & Software Engineer
Welcome! I’m Thomas Heinrich, a software engineer and system administrator with a deep passion for the Command Line Interface (CLI). With years of experience navigating the terminal, building backend architectures, and automating server deployments, I created this space to share practical, real-world terminal knowledge.
Whether you are a beginner taking your first steps in a Linux environment or a seasoned DevOps engineer looking to optimize your deployment scripts, you will find actionable solutions here. My goal is to help you ditch the mouse, speed up your workflow, and harness the full power of the command line.