Generating X509 Certificate using Bouncy Castle Java

Question

I am looking for an example or tutorial to generate X509 Certificates using BC in Java.

A lot of example are having/using deprecated API. I gave a look at BC, but it doesn't show which class does what or no proper documentation/example.

Please If any one you are having idea about it, please point me to a tutorial where I can use BC to generate X509 Certificates. [Generation and writing the public and private keys to files]

Answer 1

Creation of KeyPairGenerator:

private KeyPairGenerator createKeyPairGenerator(String algorithmIdentifier,
        int bitCount) throws NoSuchProviderException,
        NoSuchAlgorithmException {
    KeyPairGenerator kpg = KeyPairGenerator.getInstance(
            algorithmIdentifier, BouncyCastleProvider.PROVIDER_NAME);
    kpg.initialize(bitCount);
    return kpg;
}

Creation of keyPair:

private KeyPair createKeyPair(String encryptionType, int byteCount)
    throws NoSuchProviderException, NoSuchAlgorithmException
{
    KeyPairGenerator keyPairGenerator = createKeyPairGenerator(encryptionType, byteCount);
    KeyPair keyPair = keyPairGenerator.genKeyPair();
    return keyPair;
}

KeyPair keyPair = createKeyPair("RSA", 4096);

Converting things to PEM (can be written to file):

  private String convertCertificateToPEM(X509Certificate signedCertificate) throws IOException {
    StringWriter signedCertificatePEMDataStringWriter = new StringWriter();
    JcaPEMWriter pemWriter = new JcaPEMWriter(signedCertificatePEMDataStringWriter);
    pemWriter.writeObject(signedCertificate);
    pemWriter.close();
    return signedCertificatePEMDataStringWriter.toString();
  }

Creation of X509Certificate:

X509v3CertificateBuilder certificateBuilder = new JcaX509v3CertificateBuilder(
    serverCertificate, new BigInteger("1"),
    new Date(System.currentTimeMillis()),
    new Date(System.currentTimeMillis() + 30L * 365L * 24L * 60L * 60L * 1000L),
    jcaPKCS10CertificationRequest.getSubject(),
    jcaPKCS10CertificationRequest.getPublicKey()
/*).addExtension(
    new ASN1ObjectIdentifier("2.5.29.35"),
    false,
    new AuthorityKeyIdentifier(keyPair.getPublic().getEncoded())*/
).addExtension(
        new ASN1ObjectIdentifier("2.5.29.19"),
        false,
        new BasicConstraints(false) // true if it is allowed to sign other certs
).addExtension(
        new ASN1ObjectIdentifier("2.5.29.15"),
        true,
        new X509KeyUsage(
            X509KeyUsage.digitalSignature |
                X509KeyUsage.nonRepudiation   |
                X509KeyUsage.keyEncipherment  |
                X509KeyUsage.dataEncipherment));

Signing:

    ContentSigner sigGen = new JcaContentSignerBuilder("SHA256withRSA").build(signingKeyPair.getPrivate());


    X509CertificateHolder x509CertificateHolder = certificateBuilder.build(sigGen);
    org.spongycastle.asn1.x509.Certificate eeX509CertificateStructure =
      x509CertificateHolder.toASN1Structure();
    return eeX509CertificateStructure;
  }

  private X509Certificate readCertificateFromASN1Certificate(
    org.spongycastle.asn1.x509.Certificate eeX509CertificateStructure,
    CertificateFactory certificateFactory)
    throws IOException, CertificateException { //
    // Read Certificate
    InputStream is1 = new ByteArrayInputStream(eeX509CertificateStructure.getEncoded());
    X509Certificate signedCertificate =
      (X509Certificate) certificateFactory.generateCertificate(is1);
    return signedCertificate;
  }

CertificateFactory:

    certificateFactory = CertificateFactory.getInstance("X.509",
        BouncyCastleProvider.PROVIDER_NAME);

Answer 2

The X509v3CertificateBuilder seems like the class to use. There are some examples of using the new API on the bouncycastle wiki.