Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is there a way to pretty print an X509Certificate?

I have a web page where I show the details of an SSL certificate which is being used with the server. I thought that toString() might be okay, but it looks like this:

  [0]         Version: 3
         SerialNumber: 117262955582477610212812061435665386300
             IssuerDN: CN=localhost
           Start Date: Wed Jun 13 15:15:05 EST 2012
           Final Date: Tue Jun 08 15:15:05 EST 2032
            SubjectDN: CN=localhost
           Public Key: DSA Public Key
            y: 6ef96c2ace616280c5453dda2[TRUNCATED BY ME]

  Signature Algorithm: SHA1withDSA
            Signature: 302c021450b1557d879a25ccf6b89e7ac6de8dc6
                       0b13df7e0214559cdc810cdb1faa3a645da837cd
                       5efdeb81d62e
       Extensions: 
                       critical(true) 2.5.29.17 value = DER Sequence
    Tagged [7] IMPLICIT 
        DER Octet String[4] 

The problem I have with it is the obscure representation of extensions. I would prefer to see "subjectAltNames" and the list of alternative names, like what I can see in my web browser when I look at the certificate info.

Is there some way to do this? I have the entirety of BouncyCastle on my class path so I had hoped I could find it in there, but I don't seem to be able to find it.

Worst comes to worst I know I can put time into getting all the bits and pieces out myself, but I don't know if I will miss an extension someone might expect to find in there.

like image 626
Hakanai Avatar asked Jun 13 '12 05:06

Hakanai


People also ask

How do I get an x509 certificate?

Open cmd prompt, change directory to desktop & type command- openssl. It is a process of creating a simple x509 certificate that will be used for digital signatures. Press enter and fill in all the required information like the password for creating keys & a few personal information.

What is x509 format?

509 is a standard format for public key certificates, digital documents that securely associate cryptographic key pairs with identities such as websites, individuals, or organizations. First introduced in 1988 alongside the X. 500 standards for electronic directory services, X.

How does x509 work?

An X. 509 certificate is a digital certificate that uses the widely accepted international X. 509 public key infrastructure (PKI) standard to verify that a public key belongs to the user, computer or service identity contained within the certificate.


2 Answers

Answering my own question with my own solution.

It turns out that this crappy toString() output only happens when using Sun's implementation of X509Certificate. When using BouncyCastle's, it looks a lot better (or more detailed, at least.)

It just turned out that we weren't initialising BC's provider before the page was rendered. Initialisation was delayed until we wanted to use it to actually generate a certificate and now that it's done on webapp startup, the toString() looks a lot better.

like image 99
Hakanai Avatar answered Oct 10 '22 15:10

Hakanai


Pretty much all the "bits and pieces" should be available from the standard X509Certificate class:

  • http://docs.oracle.com/javase/6/docs/api/java/security/cert/X509Certificate.html

You should be able to pretty easily format whatever you want, however you want. You can also access and iterate through the "getIssuerAlternativeNames()" collection.

PS:

Here's an excellent link about implementing the X509Certificate class:

  • http://www.mayrhofer.eu.org/create-x509-certs-in-java

And here's a link from somebody who's using Bouncy Castle (the solution also involves the above link):

  • Generating X509Certificate using bouncycastle X509v3CertificateBuilder
like image 22
paulsm4 Avatar answered Oct 10 '22 15:10

paulsm4