Creating an X509 Certificate in Java without BouncyCastle?

by

Yes, but not with publicly documented classes. I’ve documented the process in this article.

import sun.security.x509.*;
import java.security.cert.*;
import java.security.*;
import java.math.BigInteger;
import java.util.Date;
import java.io.IOException

/** 
 * Create a self-signed X.509 Certificate
 * @param dn the X.509 Distinguished Name, eg "CN=Test, L=London, C=GB"
 * @param pair the KeyPair
 * @param days how many days from now the Certificate is valid for
 * @param algorithm the signing algorithm, eg "SHA1withRSA"
 */ 
X509Certificate generateCertificate(String dn, KeyPair pair, int days, String algorithm)
  throws GeneralSecurityException, IOException
{
  PrivateKey privkey = pair.getPrivate();
  X509CertInfo info = new X509CertInfo();
  Date from = new Date();
  Date to = new Date(from.getTime() + days * 86400000l);
  CertificateValidity interval = new CertificateValidity(from, to);
  BigInteger sn = new BigInteger(64, new SecureRandom());
  X500Name owner = new X500Name(dn);
 
  info.set(X509CertInfo.VALIDITY, interval);
  info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(sn));
  info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(owner));
  info.set(X509CertInfo.ISSUER, new CertificateIssuerName(owner));
  info.set(X509CertInfo.KEY, new CertificateX509Key(pair.getPublic()));
  info.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));
  AlgorithmId algo = new AlgorithmId(AlgorithmId.md5WithRSAEncryption_oid);
  info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(algo));
 
  // Sign the cert to identify the algorithm that's used.
  X509CertImpl cert = new X509CertImpl(info);
  cert.sign(privkey, algorithm);
 
  // Update the algorith, and resign.
  algo = (AlgorithmId)cert.get(X509CertImpl.SIG_ALG);
  info.set(CertificateAlgorithmId.NAME + "." + CertificateAlgorithmId.ALGORITHM, algo);
  cert = new X509CertImpl(info);
  cert.sign(privkey, algorithm);
  return cert;
}   

Edit 2021 – unfortunately this approach won’t work under Java 17, as the sun.* hierarchy can’t be accessed. So it’s back to BouncyCastle or a roll-your own ASN.1 serializer.

More Related Contents:

  1. How to avoid installing “Unlimited Strength” JCE policy files when deploying an application?
  2. InvalidKeyException Illegal key size
  3. Trust Store vs Key Store – creating with keytool
  4. How to extract CN from X509Certificate in Java?
  5. Importing the private-key/public-certificate pair in the Java KeyStore [duplicate]
  6. Hash String via SHA-256 in Java
  7. Checking if Unlimited Cryptography is available
  8. How to create a secure random AES key in Java?
  9. How to get server certificate chain then verify it’s valid and trusted in Java
  10. Generating X509 Certificate using Bouncy Castle Java
  11. java.security.NoSuchAlgorithmException:Cannot find any provider supporting AES/ECB/PKCS7PADDING
  12. How to create a X509 certificate using Java?
  13. PKCS12 Java Keystore from CA and User certificate in java
  14. Generate Subject Hash of X509Certificate in Java
  15. Android studio error in stack trace
  16. When should we use intern method of String on String literals
  17. Encode String to UTF-8
  18. Interfaces with static fields in java for sharing ‘constants’
  19. What is the point of setters and getters in java? [duplicate]
  20. Handling soft-deletes with Spring JPA
  21. No enclosing instance of type Server is accessible
  22. Collections.emptyList() vs. new instance
  23. org.openqa.selenium.WebDriverException: unknown error: call function result missing ‘value’
  24. Why would an Enum implement an Interface?
  25. How can a Java variable be different from itself?
  26. How to get the URL fragment identifier from HttpServletRequest
  27. Check if one list contains element from the other
  28. How to use SwingWorker?
  29. Easiest way to convert a Blob into a byte array
  30. Read an Image/file from External storage Android

Leave a Comment