Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Create x.509 certificate using bouncycastle with certificate path (cert chain)

Tags:

java

ssl-certificate

x509certificate

x509

bouncycastle

Hy Guys! I'm trying to create x.509 certificate using bouncycastle, which should be signed by another certificate and store it PEM base 64 format.

I've already have self-signed certificate (public and private key). Now I want to create new one and sign it with existing self-signed certificate.

KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", "BC");
keyPairGenerator.initialize(1024, new SecureRandom());
KeyPair keyPair = keyPairGenerator.generateKeyPair();

X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
X500Principal dnName = new X500Principal("CN=Sergey");
certGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis()));
certGen.setSubjectDN(dnName);
certGen.setIssuerDN(caCert.getSubjectX500Principal());
certGen.setNotBefore(validityBeginDate);
certGen.setNotAfter(validityEndDate);
certGen.setPublicKey(keyPair.getPublic());
certGen.setSignatureAlgorithm("SHA256WithRSAEncryption");

certGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(caCert));
certGen.addExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(keyPair.getPublic()));

X509Certificate cert = certGen.generate(caCertPrivateKey, "BC");

Verification passed without exceptions, which means from my point of view that it was successfully signed by caCert:

cert.verify(caCert.getPublicKey());

Then I decode it to the PEM base 64:

PEMWriter pemWriter = new PEMWriter(new PrintWriter(System.out));
pemWriter.writeObject(cert);
pemWriter.flush();

I get something like this in the output:

-----BEGIN CERTIFICATE-----

MIIDDjCCAnegAwIBAgIBFDAN........

-----END CERTIFICATE-----

When I open it, I see the next:

enter image description here

Why there is no certification chain if it was successfully signed by caCert?

What need to be changed in my code to see certification chain as I expected?

like image 230
Deplake Avatar asked Feb 28 '13 18:02

Deplake

1 Answers

I was able to find solution. Actually code works as expected. I didn't see chain of certificates because my caRoot certificate wasn't added to the trusted store. After I add my sel-signed certificate to the trusted root certified centers I see the whole certification chain as I expected.

like image 123
Deplake Avatar answered Oct 05 '22 23:10

Deplake
Sign in to Comment

Related questions

Can javac compile from stdin?
Java efficiency
How do I update the value of an @Autowired String bean in Spring?
Hierarchical mutex locks in Java
My ISP is forcing me to buffer tcp data before sending it
Java process on Mac OSX does not release socket
Using the gradle tomcat plugin
Is there a way to hot-deploy delta changes onto an Android device? [Say, like JRebel]
Store an ordering of Enums in Java
Is it possible to set ETags using JAX-RS without resorting to Response objects?
Serializing supplementary unicode characters into XML documents with Java
Is there an OpenGrok API? [closed]
Load MSCAPI Java Keystore without loading private keys (hard token)
How can I print/log entire body contents of MultiPartEntity that is being used by HTTPRequest?
Scala Type aliases for annotations
Multiple transactions in a single hibernate session (with Spring)
Why Guava does not provide a way to transform map keys
Is it okay to use Thread.sleep() in a loop in Java, to do something at regular intervals?
Write JUnit test for @ExceptionHandler
Run-time lookup for EJBs in MDB consuming immediately after deploy

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!