/** Build a sample V3 certificate to use as an end entity certificate */ public static X509Certificate buildEndEntityCert( PublicKey entityKey, PrivateKey caKey, X509Certificate caCert) throws Exception { X509v3CertificateBuilder certBldr = new JcaX509v3CertificateBuilder( caCert.getSubjectX500Principal(), BigInteger.valueOf(1), new Date(System.currentTimeMillis()), new Date(System.currentTimeMillis() + VALIDITY_PERIOD), new X500Principal("CN=Test End Entity Certificate"), entityKey); JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils(); certBldr .addExtension( Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCert)) .addExtension( Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(entityKey)) .addExtension(Extension.basicConstraints, true, new BasicConstraints(false)) .addExtension( Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment)); ContentSigner signer = new JcaContentSignerBuilder("SHA1withRSA").setProvider("BC").build(caKey); return new JcaX509CertificateConverter() .setProvider("BC") .getCertificate(certBldr.build(signer)); }
/** Build a sample V3 certificate to use as an intermediate CA certificate */ public static X509Certificate buildIntermediateCert( PublicKey intKey, PrivateKey caKey, X509Certificate caCert) throws Exception { X509v3CertificateBuilder certBldr = new JcaX509v3CertificateBuilder( caCert.getSubjectX500Principal(), BigInteger.valueOf(1), new Date(), sdf.parse("2016-07-06 06:06:06"), new X500Principal("CN=Test CA Certificate"), intKey); JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils(); certBldr .addExtension( Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCert)) .addExtension( Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(intKey)) .addExtension(Extension.basicConstraints, true, new BasicConstraints(0)) .addExtension( Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign | KeyUsage.cRLSign)); ContentSigner signer = new JcaContentSignerBuilder("SHA1withRSA").setProvider("BC").build(caKey); return new JcaX509CertificateConverter() .setProvider("BC") .getCertificate(certBldr.build(signer)); }
public X509v3CertificateBuilder applyExtension(X509v3CertificateBuilder certificateGenerator) throws CertIOException { BasicConstraints bc = null; if (((BasicConstraintField) certificateField).getIsCA() == false) { bc = new BasicConstraints(false); } else { bc = new BasicConstraints(((BasicConstraintField) certificateField).getPathLength()); } certificateGenerator.addExtension( X509Extension.basicConstraints, certificateField.getCritical(), bc); return (certificateGenerator); }
/** * Generates version 3 {@link java.security.cert.X509Certificate}. * * @param keyPair the key pair * @param caPrivateKey the CA private key * @param caCert the CA certificate * @param subject the subject name * @return the x509 certificate * @throws Exception the exception */ public static X509Certificate generateV3Certificate( KeyPair keyPair, PrivateKey caPrivateKey, X509Certificate caCert, String subject) throws Exception { try { X500Name subjectDN = new X500Name("CN=" + subject); // Serial Number SecureRandom random = SecureRandom.getInstance("SHA1PRNG"); BigInteger serialNumber = BigInteger.valueOf(Math.abs(random.nextInt())); // Validity Date notBefore = new Date(System.currentTimeMillis()); Date notAfter = new Date(System.currentTimeMillis() + (((1000L * 60 * 60 * 24 * 30)) * 12) * 3); // SubjectPublicKeyInfo SubjectPublicKeyInfo subjPubKeyInfo = new SubjectPublicKeyInfo(ASN1Sequence.getInstance(keyPair.getPublic().getEncoded())); X509v3CertificateBuilder certGen = new X509v3CertificateBuilder( new X500Name(caCert.getSubjectDN().getName()), serialNumber, notBefore, notAfter, subjectDN, subjPubKeyInfo); DigestCalculator digCalc = new BcDigestCalculatorProvider() .get(new AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1)); X509ExtensionUtils x509ExtensionUtils = new X509ExtensionUtils(digCalc); // Subject Key Identifier certGen.addExtension( Extension.subjectKeyIdentifier, false, x509ExtensionUtils.createSubjectKeyIdentifier(subjPubKeyInfo)); // Authority Key Identifier certGen.addExtension( Extension.authorityKeyIdentifier, false, x509ExtensionUtils.createAuthorityKeyIdentifier(subjPubKeyInfo)); // Key Usage certGen.addExtension( Extension.keyUsage, false, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign | KeyUsage.cRLSign)); // Extended Key Usage KeyPurposeId[] EKU = new KeyPurposeId[2]; EKU[0] = KeyPurposeId.id_kp_emailProtection; EKU[1] = KeyPurposeId.id_kp_serverAuth; certGen.addExtension(Extension.extendedKeyUsage, false, new ExtendedKeyUsage(EKU)); // Basic Constraints certGen.addExtension(Extension.basicConstraints, true, new BasicConstraints(0)); // Content Signer ContentSigner sigGen = new JcaContentSignerBuilder("SHA1WithRSAEncryption") .setProvider("BC") .build(caPrivateKey); // Certificate return new JcaX509CertificateConverter() .setProvider("BC") .getCertificate(certGen.build(sigGen)); } catch (Exception e) { throw new RuntimeException("Error creating X509v3Certificate.", e); } }
private X509Certificate buildRootCert(String domain, KeyPair _keyPair) throws Exception { X509v3CertificateBuilder certificateBuilder = createX509v3CertificateBuilder(domain, _keyPair); certificateBuilder.addExtension(Extension.basicConstraints, true, new BasicConstraints(true)); return createX509Certificate(certificateBuilder, _keyPair.getPrivate()); }