To view the content of a keystore in the form of PKCS12 run the openssl command as for example on the truststore of an installation of Directory Services (evolution of openDJ) of ForgeRock:
openssl pkcs12 -nokeys /
-info /
-in /etc/opendj/config/keystore /
-passin file:/etc/opendj/config/keystore.pin
Where the keystore.pin is a file where the keystore password is.
You can specify the password directly with:
openssl pkcs12 -nokeys /
-info /
-in /etc/opendj/config/keystore /
-passin pass:aIeVO9Jt2P8+fgpRXLgdf1cGQsTAmVhCIk4zm0e6fGKRQjgvyyc/ttSMC8V3vpTBPOA=
And this shows you the content of the certificates in the keystore, not the keys for having specified the '-nokeys' option:
MAC: sha1, Iteration 100000
MAC length: 20, salt length: 20
PKCS7 Data
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 10000, PRF hmacWithSHA256
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 10000, PRF hmacWithSHA256
PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 10000, PRF hmacWithSHA256
Certificate bag
Bag Attributes
friendlyName: ssl-key-pair
localKeyID: 54 69 6D 65 20 31 36 36 34 35 36 32 36 39 36 33 32 35
subject=O = ForgeRock.com, CN = DS
issuer=O = ForgeRock.com, CN = Deployment key
-----BEGIN CERTIFICATE-----
MIIBrzCCAVagAwIBAgILANTKMWrfKmvtFzcwCgYIKoZIzj0EAwIwMTEWMBQGA1UE
ChMNRm9yZ2VSb2NrLmNvbTEXMBUGA1UEAxMORGVwbG95bWVudCBrZXkwHhcNMjIw
OTMwMTgzMTM2WhcNMjMwOTMwMTgzMTM2WjAlMRYwFAYDVQQKEw1Gb3JnZVJvY2su
Y29tMQswCQYDVQQDEwJEUzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABBWZoUBR
8db/gMkDUuZ6L6WaIApLVzFgOZRO93+ETvYwZf8fV4oI3hzbHFyG2paUSPFh4tEI
OQpAqsYkQuzeP/yjYTBfMA4GA1UdDwEB/wQEAwIFoDAgBgNVHSUBAf8EFjAUBggr
BgEFBQcDAQYIKwYBBQUHAwIwKwYDVR0RBCQwIoICZHOCEWRzLmZlaXRhbS5wcml2
YXRlgglsb2NhbGhvc3QwCgYIKoZIzj0EAwIDRwAwRAIgKEp0KQOYTHFgi2cfM6TS
XRyHSOP5ebaj882iEXGMZhYCIDRF1McLOLy3RMoDR85Vl5s5bpn1u698nthJxU/O
RLO7
-----END CERTIFICATE-----
Certificate bag
Bag Attributes
friendlyName: ca-cert
2.16.840.1.113894.746875.1.1: <Unsupported tag 6>
subject=O = ForgeRock.com, CN = Deployment key
issuer=O = ForgeRock.com, CN = Deployment key
-----BEGIN CERTIFICATE-----
MIIBfzCCASSgAwIBAgILAJZhYNM0Stqil74wCgYIKoZIzj0EAwIwMTEWMBQGA1UE
ChMNRm9yZ2VSb2NrLmNvbTEXMBUGA1UEAxMORGVwbG95bWVudCBrZXkwHhcNMjIw
OTMwMTcyNDMyWhcNMzIwOTI3MTcyNDMyWjAxMRYwFAYDVQQKEw1Gb3JnZVJvY2su
Y29tMRcwFQYDVQQDEw5EZXBsb3ltZW50IGtleTBZMBMGByqGSM49AgEGCCqGSM49
AwEHA0IABAtkPOshXvTQanlav1WGar1RA6a4H3yE1eb7q6z5Z0AFE9Y0h++BJTGr
CMer70iYL76ZlA6DtBqL6gKm52OiX0yjIzAhMA4GA1UdDwEB/wQEAwIBBjAPBgNV
HRMBAf8EBTADAQH/MAoGCCqGSM49BAMCA0kAMEYCIQCfBm7KSovRmC+MOmaD7MgN
KUIlGiv/fCL4nwC7kBR7+AIhAJXHDJslJ9RZ8bBrf/zo8U/rX2YDGwzeXFitsTFI
z19E
-----END CERTIFICATE-----
Certificate bag
Bag Attributes
friendlyName: master-key
localKeyID: 54 69 6D 65 20 31 36 36 34 35 36 32 36 39 36 33 37 38
subject=O = ForgeRock.com, CN = Master key
issuer=O = ForgeRock.com, CN = Master key
-----BEGIN CERTIFICATE-----
MIIDzzCCAjmgAwIBAgIBATALBgkqhkiG9w0BAQswLTEWMBQGA1UEChMNRm9yZ2VS
b2NrLmNvbTETMBEGA1UEAxMKTWFzdGVyIGtleTAeFw03MDAxMDEwMDAwMDBaFw03
MDAxMDEwMDAwMDFaMC0xFjAUBgNVBAoTDUZvcmdlUm9jay5jb20xEzARBgNVBAMT
Ck1hc3RlciBrZXkwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCFNPIP
YbHsvIB+46TpncTC6SdJmOtyodcB/1LO50QSlj0PUlzru+tlNkVQGvMr5hyKfrMf
jMf7BS5taifnvkjA7LSRYpOJ1MlV1l6dyeRBmS6PIaVCUVGr9xY26Lx6MUyiE4ff
p8r+n+hPTRLUj3gFw/LfyqJCQ/QSyit87ovFvbBcWjzDw0wQUB14Nu3z6XqR3tNb
cQ/zM9lpJI1tsgyitoY5w0Oh7W69An9OsaVGbkGg22bIKt3gExrIog6sl2ObkUCu
SXTTWFfpZzoXpntisE1kh1IBvgf0LfjJPgaloLykvCRaVjzZQYIF1dG0ZRIJIo8J
ZPnomXo02OxZOs9NU/X6LnZr58cTzk/v0EvDHWr3h5d69VNkqd3qQ02qRDYr16fV
/FQ/GqBFCnB+uGl1/p/yOeRL8SeeJiT3bfU4yI/bpxjtK4iIvhapOQBDUozf3V5r
/I+hU89xBDhIR5cIZEY7tq8I0D1InAI3ExBXqzHAyaumzIaz+3kCPvV7Cq0CAwEA
ATALBgkqhkiG9w0BAQsDggGBAGJYL82ikKLsdKqF5j+YnGioO5xBSRYMeC3evkDk
gmWEzuUZzCvHMYdv3Upp1+MnU9IWU/KGv/BUmWG3TkuXFTuiyws0pkXsOWjHhQpg
iGDhhuhTHBOJ7kiiQWSdzI1985J3IskEA7LHeTsQy/uosWgRZlBOe8pMadp0N9PQ
ZnE9a7/q5f41BGbrTVZr+tRw/zt6/HtZ6PhjEhBUzFwmciBLQ2bgQhFyytrXVakQ
aM6CDWSaJLsk53P2yGsczdv9M/JVMhzIFO4tRG8YXMqd/gO8XXmIbvlFuHjY/G4e
I1/fCYthHV0c5rSQ/t6GgsgFCbKs3A6KYyHUCDPG0w8Uh2bc9G1VwJE6dQqypGFK
HVy9MEDnU9UMlnqpQHtczDmpnWugSeeAoGeSZm+in0KYtkzmNVehu5GbJEp5LpHh
yVLAALW5gp/X4m+lRl8xAOcjDTetu0C6iyTDrZztcgRT6NX4eYH+6R9DnCrGj+qg
V2Tz85r3VToXAZVUKMVW+tEIJg==
-----END CERTIFICATE-----
If we do not specify the '-nokeys' option, we will be asked for the passphrase, if the private key has it, to provide us with the private key in addition to the certificate of the keystore certificates that are in that keystore with private key:
MAC: sha1, Iteration 100000
MAC length: 20, salt length: 20
PKCS7 Data
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 10000, PRF hmacWithSHA256
Bag Attributes
friendlyName: ssl-key-pair
localKeyID: 54 69 6D 65 20 31 36 36 34 35 36 32 36 39 36 33 32 35
Key Attributes: <No Attributes>
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIGrMFcGCSqGSIb3DQEFDTBKMCkGCSqGSIb3DQEFDDAcBAi4Y30qoa2puQICCAAw
DAYIKoZIhvcNAgkFADAdBglghkgBZQMEASoEEMJ6WoJz+dz0kBEwxphSgwcEUKe1
jV1A8QkxPC+6mrS+RhavFmy89MLD0XMXR6XRYUVECrF5TVoL+IkMqDc//XkSb/uG
nfdjeKbx75rA877fBYuzh/r9Qu4qpmQzXkm5RQ91
-----END ENCRYPTED PRIVATE KEY-----
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 10000, PRF hmacWithSHA256
Bag Attributes
friendlyName: master-key
localKeyID: 54 69 6D 65 20 31 36 36 34 35 36 32 36 39 36 33 37 38
Key Attributes: <No Attributes>
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIHbTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQIHmZ8XVHcrGACAggA
MAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBAak9B7U89v8Iyaf0xpEhgKBIIH
EGiumoQnR3XueI943Ou47NhwtN7DOEgXVH1uO3+RBV9MZquk33nfGDTdN5/KnVvu
oNCgQpU3pfbxOEngTJpvkfxWTszjiXdfEEdPxm5oD2sE7vlMHigRox2IZBC0kufK
LHRbPr8jU2rKyz+MobIXcjXwaev/DWWzKpapJMBfOzqiyOC8/dSenKIzXmtLDLEH
oAhhzIuBeK681dZfVWIrs2A0wcI9M4VY2c/MF8majHzODCLmB7C9wVEcxlO1mWGI
4Vds8JlDOBp03D6eSebuOSwRR/QYFigXw/vKx2/lu4zKmyzR9B/iT6XHam9IO8gM
citqub406KXaDT9+Bg5sM7Ue6th2QQpqrKhvdVmvvkWYJvSFgZndO3BnvtpNIr+2
dlk7f8HzScxWpN4CIH7FIZ/5r4OVCOYYHBU9SqtSnIqvkcYL6DllK2iZUK+DgR0N
42+n4Kp1QTYpVQRtK+C8TRLM8ovCB0kliQjuySSjlgcYLDdBhwQQf2z96SFPwwFf
e9BjQSKRcNT/NS+iMvJpflsUE436ILK0RYkiknyhh3RVQViYItoHoj6Lt8z8LQu2
vZ/4qIr0eX6kYLXr0CUucG4N8C1A83Cp/ViGmD5PSQA4b+EItXu3fHiFlUyFsoYz
FBAt0BicUAzGReaaR2p8B0y6GFHG+qxX42TmJvQsgr/rvkaJQDtiyzle8DLlMtce
Wa3a+a87o/fgh6hr4Ypy6FOYKH1FLJXPFPRUhxhMrvI/ngugdxWococ+9I28Nt3z
RQfz4jwJs9tKFMD7afWLW6516aPJu7gbDqMdhUFUjsagVyA8ALkFTmUfRGjLDeHZ
SnbACTbR1DaCZxLqrIqd+fePNtaOst9oZWQVvJ/G7GkTG4mHZHJ/M5qsVf7ZTT41
Sj2BQL/wVGU2OUQn7QA+rXifkTN07f2oQdR9au8HC68rcdwHLK9cGemvBh7a3Ajj
4L7rN9+mav2/cz7Si+fZQz9afN1sfV/S4egXXA1xT1dOYFKh4tXDvvZS+8Xxhfm4
9EzsDHizl5/cJFYp5zjM70868+owVtMgoOuFhxAZWHdyqZKTYVyz8OQpkyASPTLw
mxq3W71kYVLnjObpBTYaUVpBil6C2mlk5F0lCGjVYPUrBxcWnnk6jmXI3rJFrqad
kiG6Dk8532iEcgUG4ICdGbTlDxW/17qX4ZeOOah6N1toDvwePlGeA4jZ9rZ01Z9p
FQPhLTWwLPZ+o5t6OMT28rQZ38pB6eT5+sMy/1W+5dQ9TZcG9y1lfAv7UwQgFYRj
2GB09ZaM4ebUrOgzG6wreX343riCzY4V9t+TCnfcxDPjJXREY5uvZIpzeZdev2+o
HvZowP2f48zi61wAmXU0AVSubRxd3GTjfw+UL/slUtDYzwtg3Uog4pL6pTa7aFQd
FzlCCF6RKvye2Mt5borKkGS0cgfY+fljckQWmKFrVglstrwoGaeeWB+6qIgevY76
KkqA8AmyeLl9u1QgrgtUckqzlNlBBqIjgn2TWrKU04TIDMWFmKiwFS3at5lFs5xD
jIkGz9R+3lGIvCrapRG9Ij1K5iohifbqL3L1ukv3YlkWDjs5tKVLrqNhBpayDOlw
nzcLA50TT7KjdmzHCtrQXuyORgQcs9UzJNYquMrXxBTWsmH/xBjgp3BPqeXQp3t/
D9r4umHRzAHe35tKx+jeM3udri5iYD0qlehJOXs6ctEAkFwqBeRdDn4nRsXiR/M4
z1D/5EptEOiV8nqJartgjB88GlVxMxMocjsa7MBcItFLiBD2dV2cYZRSQ9VgQxNG
aHKA9HGncwL0LfqsyUpLzDs8d7AvqqsQfGXjryojegZ5nHxp4pl5zy0nCJIW5Ezw
ZDh/v+gNsxnuyOaDajqt2cLaSrbcphIH7ucM1O92GNeyjVZpKJ3uCPXRZRi11m2V
byHBYb/XI6XPoQrHlypgPwgRQDdziv+PB4ZlaQk2chQLGLxXLrE5pTn4HO5eEzdO
fzulk6syKCeKhHqsWRyXylX3Xxl1h+QjdJe7hUcORQUf8AT392EjRv6Cl2TBind+
hwexhQ5W5t2LJ52GU8E65XK3qGJoyBfFhmmidKewaG9Rh+LsXjH1kAzTmAsBeChS
uYJme5O4DW68GfZLwyletg1PfWlsVDURorfqwkfB9od3ZW2bFJ6BoZ/J2ZcvtNwF
IPqVJC6diFSWN4Fma8VHyzUPVDUWXUZewxB8nBFTkIuDUIObytGiIXvCLuB/BoJG
DZPnYdjVdwayXn1Gvt8qq2IP2RXxa5lGIiF4jZWnraqkMj5I12J8J/xFZm4uHWtx
Y/eqz6vHBvIu1RTlDvFiYIE4BHd3feUWwlDa/akvdlpbdVqTplxQCKDleWXjy4f+
Fsq90iyfFtnQOVqAQEklMKoBWM/AguIXxxyGRlkqsnlw
-----END ENCRYPTED PRIVATE KEY-----
PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 10000, PRF hmacWithSHA256
Certificate bag
Bag Attributes
friendlyName: ssl-key-pair
localKeyID: 54 69 6D 65 20 31 36 36 34 35 36 32 36 39 36 33 32 35
subject=O = ForgeRock.com, CN = DS
issuer=O = ForgeRock.com, CN = Deployment key
-----BEGIN CERTIFICATE-----
MIIBrzCCAVagAwIBAgILANTKMWrfKmvtFzcwCgYIKoZIzj0EAwIwMTEWMBQGA1UE
ChMNRm9yZ2VSb2NrLmNvbTEXMBUGA1UEAxMORGVwbG95bWVudCBrZXkwHhcNMjIw
OTMwMTgzMTM2WhcNMjMwOTMwMTgzMTM2WjAlMRYwFAYDVQQKEw1Gb3JnZVJvY2su
Y29tMQswCQYDVQQDEwJEUzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABBWZoUBR
8db/gMkDUuZ6L6WaIApLVzFgOZRO93+ETvYwZf8fV4oI3hzbHFyG2paUSPFh4tEI
OQpAqsYkQuzeP/yjYTBfMA4GA1UdDwEB/wQEAwIFoDAgBgNVHSUBAf8EFjAUBggr
BgEFBQcDAQYIKwYBBQUHAwIwKwYDVR0RBCQwIoICZHOCEWRzLmZlaXRhbS5wcml2
YXRlgglsb2NhbGhvc3QwCgYIKoZIzj0EAwIDRwAwRAIgKEp0KQOYTHFgi2cfM6TS
XRyHSOP5ebaj882iEXGMZhYCIDRF1McLOLy3RMoDR85Vl5s5bpn1u698nthJxU/O
RLO7
-----END CERTIFICATE-----
Certificate bag
Bag Attributes
friendlyName: ca-cert
2.16.840.1.113894.746875.1.1: <Unsupported tag 6>
subject=O = ForgeRock.com, CN = Deployment key
issuer=O = ForgeRock.com, CN = Deployment key
-----BEGIN CERTIFICATE-----
MIIBfzCCASSgAwIBAgILAJZhYNM0Stqil74wCgYIKoZIzj0EAwIwMTEWMBQGA1UE
ChMNRm9yZ2VSb2NrLmNvbTEXMBUGA1UEAxMORGVwbG95bWVudCBrZXkwHhcNMjIw
OTMwMTcyNDMyWhcNMzIwOTI3MTcyNDMyWjAxMRYwFAYDVQQKEw1Gb3JnZVJvY2su
Y29tMRcwFQYDVQQDEw5EZXBsb3ltZW50IGtleTBZMBMGByqGSM49AgEGCCqGSM49
AwEHA0IABAtkPOshXvTQanlav1WGar1RA6a4H3yE1eb7q6z5Z0AFE9Y0h++BJTGr
CMer70iYL76ZlA6DtBqL6gKm52OiX0yjIzAhMA4GA1UdDwEB/wQEAwIBBjAPBgNV
HRMBAf8EBTADAQH/MAoGCCqGSM49BAMCA0kAMEYCIQCfBm7KSovRmC+MOmaD7MgN
KUIlGiv/fCL4nwC7kBR7+AIhAJXHDJslJ9RZ8bBrf/zo8U/rX2YDGwzeXFitsTFI
z19E
-----END CERTIFICATE-----
Certificate bag
Bag Attributes
friendlyName: master-key
localKeyID: 54 69 6D 65 20 31 36 36 34 35 36 32 36 39 36 33 37 38
subject=O = ForgeRock.com, CN = Master key
issuer=O = ForgeRock.com, CN = Master key
-----BEGIN CERTIFICATE-----
MIIDzzCCAjmgAwIBAgIBATALBgkqhkiG9w0BAQswLTEWMBQGA1UEChMNRm9yZ2VS
b2NrLmNvbTETMBEGA1UEAxMKTWFzdGVyIGtleTAeFw03MDAxMDEwMDAwMDBaFw03
MDAxMDEwMDAwMDFaMC0xFjAUBgNVBAoTDUZvcmdlUm9jay5jb20xEzARBgNVBAMT
Ck1hc3RlciBrZXkwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCFNPIP
YbHsvIB+46TpncTC6SdJmOtyodcB/1LO50QSlj0PUlzru+tlNkVQGvMr5hyKfrMf
jMf7BS5taifnvkjA7LSRYpOJ1MlV1l6dyeRBmS6PIaVCUVGr9xY26Lx6MUyiE4ff
p8r+n+hPTRLUj3gFw/LfyqJCQ/QSyit87ovFvbBcWjzDw0wQUB14Nu3z6XqR3tNb
cQ/zM9lpJI1tsgyitoY5w0Oh7W69An9OsaVGbkGg22bIKt3gExrIog6sl2ObkUCu
SXTTWFfpZzoXpntisE1kh1IBvgf0LfjJPgaloLykvCRaVjzZQYIF1dG0ZRIJIo8J
ZPnomXo02OxZOs9NU/X6LnZr58cTzk/v0EvDHWr3h5d69VNkqd3qQ02qRDYr16fV
/FQ/GqBFCnB+uGl1/p/yOeRL8SeeJiT3bfU4yI/bpxjtK4iIvhapOQBDUozf3V5r
/I+hU89xBDhIR5cIZEY7tq8I0D1InAI3ExBXqzHAyaumzIaz+3kCPvV7Cq0CAwEA
ATALBgkqhkiG9w0BAQsDggGBAGJYL82ikKLsdKqF5j+YnGioO5xBSRYMeC3evkDk
gmWEzuUZzCvHMYdv3Upp1+MnU9IWU/KGv/BUmWG3TkuXFTuiyws0pkXsOWjHhQpg
iGDhhuhTHBOJ7kiiQWSdzI1985J3IskEA7LHeTsQy/uosWgRZlBOe8pMadp0N9PQ
ZnE9a7/q5f41BGbrTVZr+tRw/zt6/HtZ6PhjEhBUzFwmciBLQ2bgQhFyytrXVakQ
aM6CDWSaJLsk53P2yGsczdv9M/JVMhzIFO4tRG8YXMqd/gO8XXmIbvlFuHjY/G4e
I1/fCYthHV0c5rSQ/t6GgsgFCbKs3A6KYyHUCDPG0w8Uh2bc9G1VwJE6dQqypGFK
HVy9MEDnU9UMlnqpQHtczDmpnWugSeeAoGeSZm+in0KYtkzmNVehu5GbJEp5LpHh
yVLAALW5gp/X4m+lRl8xAOcjDTetu0C6iyTDrZztcgRT6NX4eYH+6R9DnCrGj+qg
V2Tz85r3VToXAZVUKMVW+tEIJg==
-----END CERTIFICATE-----
In this example you can see that there are the private keys of the certificates with name 'master-key' and 'ssl-key-par' that are from the Directory Services installation and of which I know the passphrase when I specify it in the installation, but it does not contain the private key of the ca-cert certificate ForgeRock.com, since it is of ForgeRock.com and they do not make it public by adding it to the keystore trusts of the Directory Services installation.
Never generate a PKCS12 or other keystore that you distribute with private keys that you must protect, let alone without passphrase. Always analyze what the keystore should contain in each case.