Skip to content
QCecuring

Java Keystore Scanner

The Java Keystore Scanner opens JKS and PKCS#12 keystore files to extract all certificates, private keys, and symmetric keys stored within.

What It Scans

Section titled “What It Scans”

Java KeyStore (JKS) and PKCS#12 (.p12/.pfx) files used by Java applications, Tomcat, Spring Boot services, and other JVM-based systems.

How It Works

Section titled “How It Works”
  1. Opens the keystore file using the provided password
  2. Iterates all aliases in the keystore
  3. For trustedCertEntry aliases: extracts the certificate
  4. For privateKeyEntry aliases: extracts the certificate chain and private key
  5. For secretKeyEntry aliases: extracts symmetric key metadata (algorithm, key size)
  6. Establishes parent-child relationships between the keystore and its contained assets

Configuration

Section titled “Configuration”
scanners:
  java-keystore:
    - paths:
        - /opt/app/keystore.p12
        - /opt/tomcat/conf/server.jks
      password: changeit
ParameterRequiredDefaultDescription
pathsYesList of keystore file paths
passwordYesKeystore password

Assets Produced

Section titled “Assets Produced”
Asset TypeWhat’s Captured
certificatesubject, issuer, serialNumber, signatureAlgorithm, validity dates, alias name, entry type
private-keyAlgorithm, key size, alias name, associated certificate chain
public-keyAlgorithm, key size (extracted from certificates)
symmetric-keyAlgorithm (AES, DESede, etc.), key size, alias name

Relationships

Section titled “Relationships”

Assets discovered from the same keystore are linked via the parentFingerprint field, which is set to the keystore’s own fingerprint. This creates a containedIn relationship, making it easy to see which assets belong to which keystore.

keystore.p12 (parent)
├── certificate: CN=api.example.com (alias: server)
├── private-key: RSA-2048 (alias: server)
├── certificate: CN=Corp CA (alias: ca-root)
└── symmetric-key: AES-256 (alias: encryption-key)

Deduplication

Section titled “Deduplication”
  • Certificates: SHA-256 of DER-encoded bytes
  • Private keys: SHA-256 of PKCS#8-encoded key bytes
  • Symmetric keys: SHA-256 of alias + algorithm + key size (key material is not exported)

Use Cases

Section titled “Use Cases”
  • Inventory all certificates and keys inside Java application keystores
  • Find keystores with default passwords (changeit, password, etc.)
  • Detect expired certificates in Tomcat or Spring Boot keystores before they cause outages
  • Track symmetric keys used for application-level encryption

Example Output

Section titled “Example Output”
{
  "type": "certificate",
  "fingerprint": "sha256:c3d4e5f6a7b8...",
  "subject": "CN=api.example.com, O=Example Corp",
  "issuer": "CN=Corp Issuing CA",
  "signatureAlgorithm": "SHA256withRSA",
  "notValidBefore": "2024-01-01T00:00:00Z",
  "notValidAfter": "2025-01-01T00:00:00Z",
  "alias": "server-cert",
  "entryType": "privateKeyEntry",
  "parentFingerprint": "sha256:keystore-fingerprint...",
  "source": {
    "scanner": "java-keystore",
    "filePath": "/opt/app/keystore.p12",
    "keystoreType": "PKCS12"
  }
}

hidden Java Keystore Scanner configuration

← Back to Scanners Overview | Sensor Setup Guide