How to export the all intermediate certs including root certificates using keytool only

Question

I am Trying to configure SSL and got the .pfx file from server team. The Certificate chain length: 2

When i am trying to export the certificate chain using keytool, only the first certificate is exported.

Trying to figure out if there is any other parameters i am missing while issuing keytool command.

the commands I used are:

1) converting to JKS as alias name is not supported with pfx

keytool -importkeystore -srckeystore "serverauth.pfx" -srcstoretype pkcs12 -destkeystore "serverauth.jks" 

2) Tried to Export certificates using the below.

keytool -export -alias 1 -keystore "serverauth.jks" -rfc -file "authclient.cert" 

But above command generates only first cert.

If i remove entire alias option, getting error

keytool error: java.lang.Exception: Alias <1> does not exist

Is there any other process.

Answer 1

You could do (exemple with java cacert):

for cert in `keytool -list -keystore cacerts -storepass changeit | grep trustedCertEntry | grep -Eo "^[^,]*"`;do
    `keytool -exportcert -keystore cacerts -alias $cert -file ${cert}.crt <<< $'changeit'`
done

That will export all cert in a separated .crt file

Answer 2

This works in Java 8 to export the whole certificate chain to a file:

keytool -list -alias yourcert -keystore /path/to/keystore -rfc

Same format as export except it dumps the whole chain. You lose out on the -file option, but you can simply redirect to a file using >

Answer 3

keytool -list -rfc -keystore serverauth.jks

This will output all the certs in a single stream. If you wanted to split them into separate files, you'd have more work to do.