A CA certificate is a digital certificate issued by a certificate authority (CA), so SSL clients (such as web browsers) can use it to verify the SSL certificates sign by this CA. For example, stackoverflow.com uses Let’s Encrypt to sign its servers, and SSL certificates sent by stackoverflow.com mention they are signed by Let’s Encrypt. … Read more
When you say “is there an easier way to… trust this cert”, that’s exactly what you’re doing by adding the cert to your Java trust store. And this is very, very easy to do, and there’s nothing you need to do within your client app to get that trust store recognized or utilized. On your … Read more
I realize that this is a very late (and long) answer. But considering how well this question seems to rank in search engine results, I figured it might be worth writing a decent answer for. A lot of what you will read below is borrowed from this demo and the OpenSSL docs. The code below … Read more
Using Bouncycastle latest version – 1.55 1.66 Update to the answer by @Bewusstsein. The bouncycastle classes are deprecated in the latest version as of this answer (5/11/2017). If you are using version 1.55 or later: public static Certificate selfSign(KeyPair keyPair, String subjectDN) throws OperatorCreationException, CertificateException, IOException { Provider bcProvider = new BouncyCastleProvider(); Security.addProvider(bcProvider); long now … Read more
This is a very basic example, with server-only authentication and self-signed cert. The code is based on BC 1.49, mostly leightweight API: ServerSocket serverSocket = new ServerSocket(SERVER_PORT); final KeyPair keyPair = … final Certificate bcCert = new Certificate(new org.spongycastle.asn1.x509.Certificate[] { new X509V3CertificateStrategy().selfSignedCertificateHolder(keyPair).toASN1Structure()}); while (true) { Socket socket = serverSocket.accept(); TlsServerProtocol tlsServerProtocol = new TlsServerProtocol( socket.getInputStream(), … Read more
I couldn’t wait for an answer to the bounty, so I found a solution myself. As others said, Security.framework doesn’t give you a way to get this information, so you need to ask OpenSSL to parse the certificate data for you: #import <openssl/x509.h> // … NSData *certificateData = (NSData *) SecCertificateCopyData(certificate); const unsigned char *certificateDataBytes … Read more
You will need BouncyCastle: import org.bouncycastle.asn1.ASN1Encodable; import org.bouncycastle.asn1.ASN1Primitive; import org.bouncycastle.asn1.pkcs.PrivateKeyInfo; import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; import org.bouncycastle.util.io.pem.PemObject; import org.bouncycastle.util.io.pem.PemWriter; The code snippets below have been checked and found working with Bouncy Castle 1.52. Private key Convert private key from PKCS8 to PKCS1: PrivateKey priv = pair.getPrivate(); byte[] privBytes = priv.getEncoded(); PrivateKeyInfo pkInfo = PrivateKeyInfo.getInstance(privBytes); ASN1Encodable encodable = pkInfo.parsePrivateKey(); … Read more
Just to clarify, an X.509 certificate does not contain the private key. The word certificate is sometimes misused to represent the combination of the certificate and the private key, but they are two distinct entities. The whole point of using certificates is to send them more or less openly, without sending the private key, which … Read more
You can use following commands to extract public/private key from a PKCS#12 container: PKCS#1 Private key openssl pkcs12 -in yourP12File.pfx -nocerts -out privateKey.pem Certificates: openssl pkcs12 -in yourP12File.pfx -clcerts -nokeys -out publicCert.pem
This is most likely because the IIS user doesn’t have access to the private key for your certificate. You can set this by following these steps… Start → Run → MMC File → Add/Remove Snapin Add the Certificates Snap In Select Computer Account, then hit next Select Local Computer (the default), then click Finish On … Read more