Creating a Key Pair Certificate and Signing It with External CA using BouncyCastle

Question

Here what I have so far generating a Certificate for a User

    try {
        Security.addProvider(new BouncyCastleProvider()); // adding provider
                                                            // to
        String pathtoSave = "D://sureshtest.cer";

        KeyPair keyPair = generateKeypair();
        PublicKey publicKey = keyPair.getPublic();
        PrivateKey privateKey = keyPair.getPrivate();
        X509Certificate trustCert = createCertificate(null, "CN=CompanyName",
                "CN=Owner", publicKey, privateKey);
        java.security.cert.Certificate[] outChain = { trustCert, };
        trustCert.checkValidity();
        KeyStore outStore = KeyStore.getInstance("PKCS12");
        outStore.load(null, null);
        outStore.setKeyEntry("my own certificate", privateKey,
                "admin123".toCharArray(), outChain);
        OutputStream outputStream = new FileOutputStream(pathtoSave);
        outStore.store(outputStream, "admin123".toCharArray());
        outputStream.flush();
        outputStream.close();


    } catch (Exception e) {
        e.printStackTrace();
    }

The above code generate a certificate with a private and public key.

Now I want to sign that certificate with a signing certificate I've been issued by a certificate authority (CA). After that I'll grant that certificate to user.

I got some input from here and it seems that is not the required answer with my case.

No need for a full implementation, just a valid procedure or some hints will greatly help.

Answer 1

You need to generate a CSR so you can invoke the code from Sign CSR using Bouncy Castle which is using the BC API. Add this to your code above:

        final PKCS10 request = new PKCS10(publicKey);
        final String sigAlgName = "SHA1WithRSA"; // change this to SHA1WithDSA if it's a DSA key
        final Signature signature = Signature.getInstance(sigAlgName);
        signature.initSign(privateKey);
        final X500Name subject = new X500Name(trustCert.getSubjectDN().toString());
        final X500Signer signer = new X500Signer(signature, subject);

        // Sign the request and base-64 encode it
        request.encodeAndSign(signer);
        final ByteArrayOutputStream baos = new ByteArrayOutputStream();
        final PrintStream writer = new PrintStream(baos);
        request.print(writer);
        // Remove -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST-----
        final String requestBase64 = new String(baos.toByteArray());
        String withoutTags = requestBase64.substring(41);
        withoutTags = withoutTags.substring(0, withoutTags.length() - 39);

        // org.bouncycastle.pkcs.PKCS10CertificationRequestHolder
        final PKCS10CertificationRequest holder = new PKCS10CertificationRequest(Base64.decode(withoutTags));
        // Feed this into https://stackoverflow.com/questions/7230330/sign-csr-using-bouncy-castle