keytool -list -v and keytool -list return different outputs

Question

When I execute this command:

keytool -list -keystore %JAVA_HOME%/jre
/lib/security/cacerts

I received this output:

ascom-ws, 27.05.2016, trustedCertEntry, 
Certificate fingerprint (SHA1): 0D:45:B8:00:6D:94:81:DB:4F:60:D4:6E:E5:3B:5D:F6:B9:4C:D2:F9

from which I understand that this certificate is a SHA1 certificate.

However when I execute this command:

keytool -list -v -keystore %JAVA_HOME%/jre
/lib/security/cacerts

I receive this output:

Alias name: ascom-ws
Creation date: 27.05.2016
Entry type: trustedCertEntry

Owner: CN=*.ascom-ws.com, O=Ascom (Sweden) AB, L=Gothenburg, ST=Gothenburg, C=SE
Issuer: CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Serial number: fb34f8c44b6d2cb3f92593f8fe7e67d
Valid from: Tue Oct 06 02:00:00 CEST 2015 until: Fri Dec 14 13:00:00 CET 2018
Certificate fingerprints:
     MD5:  A4:8E:49:4F:2C:10:C6:94:80:C5:6A:DC:13:72:CF:F0
     SHA1: 0D:45:B8:00:6D:94:81:DB:4F:60:D4:6E:E5:3B:5D:F6:B9:4C:D2:F9
     SHA256: 2D:24:07:41:C0:1B:9D:70:DF:CB:13:0A:C9:18:1B:A4:12:25:B7:53:C7:99:09:ED:2F:E2:CA:12:3A:BF:F8:4A
     Signature algorithm name: SHA256withRSA
     Version: 3

Extensions: 

#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp.digicert.com
, 
   accessMethod: caIssuers
   accessLocation: URIName: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt
]
]

#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 51 68 FF 90 AF 02 07 75   3C CC D9 65 64 62 A2 12  Qh.....u<..edb..
0010: B8 59 72 3B                                        .Yr;
]
]

#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:false
  PathLen: undefined
]

#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl3.digicert.com/sha2-ha-server-g4.crl]
, DistributionPoint:
     [URIName: http://crl4.digicert.com/sha2-ha-server-g4.crl]
]]

#5: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.16.840.1.114412.1.1]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 1C 68 74 74 70 73 3A   2F 2F 77 77 77 2E 64 69  ..https://www.di
0010: 67 69 63 65 72 74 2E 63   6F 6D 2F 43 50 53        gicert.com/CPS

]]  ]
  [CertificatePolicyId: [2.23.140.1.2.2]
[]  ]
]

#6: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

#7: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

#8: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: *.ascom-ws.com
  DNSName: ascom-ws.com
]

#9: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 67 8B 3F 98 ED 79 21 03   59 95 82 CC FE 4A EA DF  g.?..y!.Y....J..
0010: F8 C3 55 7C                                        ..U.
]
]

from which I understand that this certificate is a SHA2 certificate. Is that right?

EmCode · Accepted Answer

When you look more in detail you can see that when you use the verbose option -v you also have the result you get without the option verbose :

Certificate fingerprints:
     MD5:  A4:8E:49:4F:2C:10:C6:94:80:C5:6A:DC:13:72:CF:F0
    ---> SHA1: 0D:45:B8:00:6D:94:81:DB:4F:60:D4:6E:E5:3B:5D:F6:B9:4C:D2:F9
     SHA256: 2D:24:07:41:C0:1B:9D:70:DF:CB:13:0A:C9:18:1B:A4:12:25:B7:53:C7:99:09:ED:2F:E2:CA:12:3A:BF:F8:4A
     Signature algorithm name: SHA256withRSA
     Version: 3

The -v option really only show you more information.

so you can see that the signature algorithm here is SHA256withRSA

but the signature is not the certificate type.

The certificate is probably a X.509 certificate

keytool -list -v and keytool -list return different outputs

Answers (2)

Related Questions