密鑰工具-list -v和密鑰工具-list返回不同的輸出

Question

當我執行此命令：

keytool -list -keystore %JAVA_HOME%/jre 
/lib/security/cacerts 

我接收到這樣的輸出：

ascom-ws, 27.05.2016, trustedCertEntry, 
Certificate fingerprint (SHA1): 0D:45:B8:00:6D:94:81:DB:4F:60:D4:6E:E5:3B:5D:F6:B9:4C:D2:F9 

從中我明白，這證書是SHA1證書。

然而，當我執行此命令：

keytool -list -v -keystore %JAVA_HOME%/jre 
/lib/security/cacerts 

我接收這個輸出：

Alias name: ascom-ws 
Creation date: 27.05.2016 
Entry type: trustedCertEntry 

Owner: CN=*.ascom-ws.com, O=Ascom (Sweden) AB, L=Gothenburg, ST=Gothenburg, C=SE 
Issuer: CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US 
Serial number: fb34f8c44b6d2cb3f92593f8fe7e67d 
Valid from: Tue Oct 06 02:00:00 CEST 2015 until: Fri Dec 14 13:00:00 CET 2018 
Certificate fingerprints: 
    MD5: A4:8E:49:4F:2C:10:C6:94:80:C5:6A:DC:13:72:CF:F0 
    SHA1: 0D:45:B8:00:6D:94:81:DB:4F:60:D4:6E:E5:3B:5D:F6:B9:4C:D2:F9 
    SHA256: 2D:24:07:41:C0:1B:9D:70:DF:CB:13:0A:C9:18:1B:A4:12:25:B7:53:C7:99:09:ED:2F:E2:CA:12:3A:BF:F8:4A 
    Signature algorithm name: SHA256withRSA 
    Version: 3 

Extensions: 

#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false 
AuthorityInfoAccess [ 
    [ 
    accessMethod: ocsp 
    accessLocation: URIName: http://ocsp.digicert.com 
, 
    accessMethod: caIssuers 
    accessLocation: URIName: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt 
] 
] 

#2: ObjectId: 2.5.29.35 Criticality=false 
AuthorityKeyIdentifier [ 
KeyIdentifier [ 
0000: 51 68 FF 90 AF 02 07 75 3C CC D9 65 64 62 A2 12 Qh.....u<..edb.. 
0010: B8 59 72 3B          .Yr; 
] 
] 

#3: ObjectId: 2.5.29.19 Criticality=true 
BasicConstraints:[ 
    CA:false 
    PathLen: undefined 
] 

#4: ObjectId: 2.5.29.31 Criticality=false 
CRLDistributionPoints [ 
    [DistributionPoint: 
    [URIName: http://crl3.digicert.com/sha2-ha-server-g4.crl] 
, DistributionPoint: 
    [URIName: http://crl4.digicert.com/sha2-ha-server-g4.crl] 
]] 

#5: ObjectId: 2.5.29.32 Criticality=false 
CertificatePolicies [ 
    [CertificatePolicyId: [2.16.840.1.114412.1.1] 
[PolicyQualifierInfo: [ 
    qualifierID: 1.3.6.1.5.5.7.2.1 
    qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 64 69 ..https://www.di 
0010: 67 69 63 65 72 74 2E 63 6F 6D 2F 43 50 53  gicert.com/CPS 

]] ] 
    [CertificatePolicyId: [2.23.140.1.2.2] 
[] ] 
] 

#6: ObjectId: 2.5.29.37 Criticality=false 
ExtendedKeyUsages [ 
    serverAuth 
    clientAuth 
] 

#7: ObjectId: 2.5.29.15 Criticality=true 
KeyUsage [ 
    DigitalSignature 
    Key_Encipherment 
] 

#8: ObjectId: 2.5.29.17 Criticality=false 
SubjectAlternativeName [ 
    DNSName: *.ascom-ws.com 
    DNSName: ascom-ws.com 
] 

#9: ObjectId: 2.5.29.14 Criticality=false 
SubjectKeyIdentifier [ 
KeyIdentifier [ 
0000: 67 8B 3F 98 ED 79 21 03 59 95 82 CC FE 4A EA DF g.?..y!.Y....J.. 
0010: F8 C3 55 7C          ..U. 
] 
] 

從中我明白，這證書是證書SHA2。是對的嗎？

Answer 1

當你看起來更詳細，你可以看到，當您使用的詳細選項-v你也有你沒有詳細的選項結果：

Certificate fingerprints: 
    MD5: A4:8E:49:4F:2C:10:C6:94:80:C5:6A:DC:13:72:CF:F0 
    ---> SHA1: 0D:45:B8:00:6D:94:81:DB:4F:60:D4:6E:E5:3B:5D:F6:B9:4C:D2:F9 
    SHA256: 2D:24:07:41:C0:1B:9D:70:DF:CB:13:0A:C9:18:1B:A4:12:25:B7:53:C7:99:09:ED:2F:E2:CA:12:3A:BF:F8:4A 
    Signature algorithm name: SHA256withRSA 
    Version: 3 

的-v選項真的只能告訴你更多的信息。

，所以你可以看到，簽名算法這裏是SHA256withRSA

但簽名不是證書類型。

證書可能是X.509證書

Answer 2

指紋未定義證書類型，是DER格式（SHA-1，MD5等）中整個證書的散列（單向），要知道證書籤名類型，請參閱簽名算法名稱（公鑰+摘要算法）在這種情況下，您的證書籤名是SHA2簽名（帶有RSA公鑰的SHA256），但您的證書類型是帶有RSA公鑰的（可信證書條目）x509。