Remove alias from cacerts file [collection of trusted certificate authority (CA) certificates] - jdk 11

Question

I am using linux and I want to remove reference of the certificate eg alias from cacerts file, which is a collection of trusted certificate authority (CA) certificates. But I don't remember the name of the alias.
Below is JDK information

openjdk version "11.0.12" 2021-07-20 LTS 
OpenJDK Runtime Environment Corretto-11.0.12.7.1 (build 11.0.12+7-LTS) 
OpenJDK 64-Bit Server VM Corretto-11.0.12.7.1 (build 11.0.12+7-LTS, mixed mode)

When I list the entries form cacerts with keytool, it shows below type of output.

keytool -list -keystore /etc/pki/ca-trust/extracted/java/cacerts -storepass changeit

Output

verisignclass3publicprimarycertificationauthority-g3, Apr 2, 2020, trustedCertEntry, Certificate fingerprint (SHA-256): EB:04:CF:5E:B1:F3:9A:FA:76:2F:2B:B1:20:F2:96:CB:A5:20:C1:B9:7D:B1:58:95:65:B8:1C:B9:A1:7B:72:44 verisignclass3publicprimarycertificationauthority-g4, Apr 2, 2020, trustedCertEntry, Certificate fingerprint (SHA-256): 69:DD:D7:EA:90:BB:57:C9:3E:13:5D:C8:5E:A6:FC:D5:48:0B:60:32:39:BD:C4:54:FC:75:8B:2A:26:CF:7F:79 verisignclass3publicprimarycertificationauthority-g5, Apr 2, 2020, trustedCertEntry, Certificate fingerprint (SHA-256): 9A:CF:AB:7E:43:C8:D8:80:D0:6B:26:2A:94:DE:EE:E4:B4:65:99:89:C3:D0:CA:F1:9B:AF:64:05:E4:1A:B7:DF verisignuniversalrootcertificationauthority, Apr 2, 2020, trustedCertEntry, Certificate fingerprint (SHA-256): 23:99:56:11:27:A5:71:25:DE:8C:EF:EA:61:0D:DF:2F:A0:78:B5:C8:06:7F:4E:82:82:90:BF:B8:60:E8:4B:3C xrampglobalcaroot, Apr 2, 2020, trustedCertEntry, Certificate fingerprint (SHA-256): CE:CD:DC:90:50:99:D8:DA:DF:C5:B1:D2:09:B7:37:CB:E2:C1:8C:FB: 2C:10:C0:FF:0B:CF:0D:32:86:FC:1A:A2

My question is that how can I remove alias from cacerts file, when I don't remember the alias name. Is there any other pointer, using which I know which entry to delete from cacerts .

Answer 1

The fact you're mentioning /etc/pki/ca-trust/extracted/java/cacerts suggests you're using a cacerts file managed by your Linux distribution (presumably based on RedHat/CentOS).

Removing the specific certificate from that cacerts file is indeed possible with keytool manually. However, it's likely to be re-generated, and possibly placed back into that file the next time update-ca-trust is executed automatically (eg package upgrade) or not.

When using the distribution-managed cacerts file, it's generally better to use the distribution's mechanism.

On RedHat/CentOS-based distributions, this can be done by managing individual certificates in /etc/pki/ca-trust/source/anchors/ and using update-ca-trust .

On Debian/Ubuntu-based distributions, there is an equivalent with certificates in /usr/share/ca-certificates , assuming the ca-certificates-java package is installed (and then, you can run update-ca-certificates ).

---

As a side-note, you've tagged your question with client-certificate .

Client-certificates (and more so their matching private key, ie PrivateKeyEntry entries) normally don't belong in the cacerts file at all, which is a "keystore" used as a "truststore" (typically used as the default truststore for all Java applications running on that system). Those belong to a "keystore used as a keystore", not a "keystore used as a truststore" (which shouldn't contain private keys).

Answer 2

If you want to delete certificate reference from cacerts entries via alias name and forgot the alias name, then another pointer from cacerts file is the Certificate fingerprints. Check the fingerprints from the certificate and find the fingerprints from cacerts entries. Here is a full example. First list the entries from the certificate keystore.

keytool -list -keystore ./keystore.pfx

It will show output like this:

Keystore type: PKCS12 Keystore provider: SUN

Your keystore contains 1 entry

te-b6b910d1-a1e2-4a51-b3c8-2c0199d393a3, Dec 7, 2022, PrivateKeyEntry, Certificate fingerprint (SHA-256): 37:01:C3:18:96:D9:54:A3:F6:B6:75:39:2A:5C:61:F9:EF:41:21:4C:E5:BF:6B:37:70:6C:EB:4F:50:3F:90:EB

Note down fingerprint value, ie 37:01:C3:18:96:D9:54:A3:F6:B6:75:39:2A:5C:61:F9:EF:41:21:4C:E5:BF:6B:37:70:6C:EB:4F:50:3F:90:EB

Now list down cacerts entries in a text file.

keytool -list -keystore /etc/pki/ca-trust/extracted/java/cacerts -storepass changeit > output.txt

Now open the text file with some editor, eg vi or vim or nano, and find the fingerprint value. In this file you will see below two lines

mykey, May 20, 2022, trustedCertEntry,
Certificate fingerprint (SHA-256): 37:01:C3:18:96:D9:54:A3:F6:B6:75:39:2A:5C:61:F9:EF:41:21:4C:E5:BF:6B:37:70:6C:EB:4F:50:3F:90:EB

Now you have found the alias name ie mykey. So you can delete the certificate entry to cacerts with below command

keytool -delete -alias mykey -keystore /etc/pki/ca-trust/extracted/java/cacerts -storepass changeit --noprompt

if you run the above command again, it will show below error

keytool error: java.lang.Exception: Alias <mykey> does not exist.

So with this example, now you are able to find the alias name from cacerts using fingerprints and able to delete the alias from cacerts entries.