private X509Certificate createIntermediateCertificate(PrivateKey caPrivKey,
X509Certificate caCert,
Date startDate, KeyPair keyPair) throws Exception {
X500Name issuerDn = JcaX500NameUtil.getSubject(caCert);
X500NameBuilder subjectBuilder = new X500NameBuilder(BCStyle.INSTANCE);
subjectBuilder.addRDN(BCStyle.OU, INTERMEDIATE_CERT_OU);
subjectBuilder.addRDN(BCStyle.EmailAddress, CERT_EMAIL);
X500Name subjectDn = subjectBuilder.build();
X509CertificateGenerator.V3X509CertificateGenerator v3CertGen = new V3X509CertificateGenerator(startDate,
issuerDn, subjectDn, keyPair.getPublic(), serialNumber());
v3CertGen.addSubjectKeyIdExtension(keyPair.getPublic());
v3CertGen.addAuthorityKeyIdExtension(caCert);
v3CertGen.addBasicConstraintsExtension();
X509Certificate cert = v3CertGen.generate(caPrivKey);
Date now = new Date();
cert.checkValidity(now);
cert.verify(caCert.getPublicKey());
PKCS12BagAttributeSetter.usingBagAttributeCarrier(cert)
.setFriendlyName(INTERMEDIATE_CERT_OU);
PKCS12BagAttributeSetter.usingBagAttributeCarrier(keyPair.getPrivate())
.setFriendlyName(FRIENDLY_NAME)
.setLocalKeyId(keyPair.getPublic());
return cert;
}