long notAfter = this.notAfter != -1L ? this.notAfter : notBefore + DEFAULT_DURATION_MILLIS; BigInteger serialNumber = this.serialNumber != null ? this.serialNumber : BigInteger.ONE; X509V3CertificateGenerator generator = new X509V3CertificateGenerator(); generator.setSerialNumber(serialNumber); generator.setIssuerDN(signedByPrincipal); generator.setNotBefore(new Date(notBefore)); generator.setNotAfter(new Date(notAfter)); generator.setSubjectDN(subject); generator.setPublicKey(heldKeyPair.getPublic()); generator.setSignatureAlgorithm(signedByKeyPair.getPrivate() instanceof RSAPrivateKey ? "SHA256WithRSAEncryption" : "SHA256withECDSA"); generator.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(maxIntermediateCas)); encodableAltNames[i] = new GeneralName(tag, altName); generator.addExtension(X509Extensions.SubjectAlternativeName, true, new DERSequence(encodableAltNames)); X509Certificate certificate = generator.generate(signedByKeyPair.getPrivate()); return new HeldCertificate(heldKeyPair, certificate); } catch (GeneralSecurityException e) {
/** * add a given extension field for the standard extensions tag (tag 3) */ public void addExtension( String oid, boolean critical, ASN1Encodable value) { this.addExtension(new ASN1ObjectIdentifier(oid), critical, value); }
/** * generate an X509 certificate, based on the current issuer and subject, * using the passed in provider for the signing. */ public X509Certificate generate( PrivateKey key, String provider) throws CertificateEncodingException, IllegalStateException, NoSuchProviderException, NoSuchAlgorithmException, SignatureException, InvalidKeyException { return generate(key, provider, null); }
/** * add a given extension field for the standard extensions tag (tag 3) * The value parameter becomes the contents of the octet string associated * with the extension. */ public void addExtension( String oid, boolean critical, byte[] value) { this.addExtension(new ASN1ObjectIdentifier(oid), critical, value); }
/** * generate an X509 certificate, based on the current issuer and subject * using the default provider. * <p> * <b>Note:</b> this differs from the deprecated method in that the default provider is * used - not "BC". * </p> */ public X509Certificate generate( PrivateKey key) throws CertificateEncodingException, IllegalStateException, NoSuchAlgorithmException, SignatureException, InvalidKeyException { return generate(key, (SecureRandom)null); }
public X509Certificate generateCertificate(KeyPair keyPair){ X509V3CertificateGenerator cert = new X509V3CertificateGenerator(); cert.setSerialNumber(BigInteger.valueOf(1)); //or generate a random number cert.setSubjectDN(new X509Principal("CN=localhost")); //see examples to add O,OU etc cert.setIssuerDN(new X509Principal("CN=localhost")); //same since it is self-signed cert.setPublicKey(keyPair.getPublic()); cert.setNotBefore(<date>); cert.setNotAfter(<date>); cert.setSignatureAlgorithm("SHA1WithRSAEncryption"); PrivateKey signingKey = keyPair.getPrivate(); return cert.generate(signingKey, "BC"); }
private static void addCACertificateExtensions( X509V3CertificateGenerator certGen) throws IOException { // Basic Constraints certGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(0)); }
return generate(key, provider, random);
/** * Generates a certificate for {@code hostName} containing {@code keyPair}'s * public key, signed by {@code keyPair}'s private key. */ @SuppressWarnings("deprecation") // use the old Bouncy Castle APIs to reduce dependencies. private X509Certificate selfSignedCertificate(KeyPair keyPair) throws GeneralSecurityException { X509V3CertificateGenerator generator = new X509V3CertificateGenerator(); X500Principal issuer = new X500Principal("CN=" + hostName); X500Principal subject = new X500Principal("CN=" + hostName); generator.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis())); generator.setIssuerDN(issuer); generator.setNotBefore(new Date(notBefore)); generator.setNotAfter(new Date(notAfter)); generator.setSubjectDN(subject); generator.setPublicKey(keyPair.getPublic()); generator.setSignatureAlgorithm("SHA256WithRSAEncryption"); return generator.generateX509Certificate(keyPair.getPrivate(), "BC"); }
certGen.addExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(pubKey)); certGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(caPubKey)); certGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false)); certGen.addExtension(X509Extensions.KeyUsage, true, new X509KeyUsage( X509KeyUsage.digitalSignature + X509KeyUsage.keyEncipherment)); usages.add(KeyPurposeId.id_kp_serverAuth); usages.add(KeyPurposeId.id_kp_clientAuth); certGen.addExtension(X509Extensions.ExtendedKeyUsage, true, new ExtendedKeyUsage(usages));
public X509Certificate x509ReqToX509(PKCS10CertificationRequest csr, int days, PrivateKey pKey) { Date notBefore = new Date(); Calendar cal = Calendar.getInstance(); cal.add(Calendar.DATE, days); Date notAfter = cal.getTime(); BigInteger serialNumber = generateCertSerialNumber(); // No implemented here X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); certGen.setSerialNumber(serialNumber); certGen.setIssuerDN(csr.getCertificationRequestInfo().getSubject()); certGen.setSubjectDN(csr.getCertificationRequestInfo().getSubject()); certGen.setNotBefore(notBefore); certGen.setNotAfter(notAfter); certGen.setPublicKey(csr.getPublicKey()); certGen.setSignatureAlgorithm("SHA256WithRSAEncryption"); return certGen.generate(pKey, "BC"); }
/** * add a given extension field for the standard extensions tag (tag 3) * copying the extension value from another certificate. * @throws CertificateParsingException if the extension cannot be extracted. */ public void copyAndAddExtension( String oid, boolean critical, X509Certificate cert) throws CertificateParsingException { byte[] extValue = cert.getExtensionValue(oid); if (extValue == null) { throw new CertificateParsingException("extension " + oid + " not present"); } try { ASN1Encodable value = X509ExtensionUtil.fromExtensionValue(extValue); this.addExtension(oid, critical, value); } catch (IOException e) { throw new CertificateParsingException(e.toString()); } }
protected Certificate generateCertificate(KeyPair keyPair, String alias) throws GeneralSecurityException { //test that Bouncy Castle provider is present and add it if it's not if( Security.getProvider(org.bouncycastle.jce.provider.BouncyCastleProvider.PROVIDER_NAME) == null) { Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider()); } X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator(); // X509Name nameInfo = new X509Name(false,"CN=" + alias); certificateGenerator.setSignatureAlgorithm("MD5WithRSA"); certificateGenerator.setSerialNumber(new java.math.BigInteger("1")); X509Principal nameInfo = new X509Principal("CN=" + alias); certificateGenerator.setIssuerDN(nameInfo); certificateGenerator.setSubjectDN(nameInfo); // note: same as issuer for self signed certificateGenerator.setNotBefore(new Date()); Calendar c = Calendar.getInstance(); c.add(Calendar.DATE, CLIENT_CERT_EXPIRATION_DAYS); certificateGenerator.setNotAfter(c.getTime()); certificateGenerator.setPublicKey(keyPair.getPublic()); return certificateGenerator.generate(keyPair.getPrivate(), org.bouncycastle.jce.provider.BouncyCastleProvider.PROVIDER_NAME); }
public X509Certificate newCertificateFor(X500Principal subject, PublicKey keyToCertify) { try { X509V3CertificateGenerator v3CertGen = new X509V3CertificateGenerator(); v3CertGen.setSerialNumber( serialNumber != null ? serialNumber : // must be positive BigInteger.valueOf(srand.nextLong()).abs().add(BigInteger.ONE)); v3CertGen.setIssuerDN(issuerPrincipal); v3CertGen.setNotBefore(validityStartDate); v3CertGen.setNotAfter(validityEndDate); v3CertGen.setSignatureAlgorithm(signatureAlgorithm); v3CertGen.setSubjectDN(subject); v3CertGen.setPublicKey(keyToCertify); v3CertGen.addExtension(X509Extension.subjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(keyToCertify)); if (authorityKeyIdentifier!=null) v3CertGen.addExtension(X509Extension.authorityKeyIdentifier, false, authorityKeyIdentifier); X509Certificate pkCertificate = v3CertGen.generate(issuerKey.getPrivate(), "BC"); return pkCertificate; } catch (Exception e) { throw Exceptions.propagate(e); } }
// generate a key pair KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", "BC"); keyPairGenerator.initialize(4096, new SecureRandom()); KeyPair keyPair = keyPairGenerator.generateKeyPair(); // build a certificate generator X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); X500Principal dnName = new X500Principal("cn=example"); // add some options certGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis())); certGen.setSubjectDN(new X509Name("dc=name")); certGen.setIssuerDN(dnName); // use the same // yesterday certGen.setNotBefore(new Date(System.currentTimeMillis() - 24 * 60 * 60 * 1000)); // in 2 years certGen.setNotAfter(new Date(System.currentTimeMillis() + 2 * 365 * 24 * 60 * 60 * 1000)); certGen.setPublicKey(keyPair.getPublic()); certGen.setSignatureAlgorithm("SHA256WithRSAEncryption"); certGen.addExtension(X509Extensions.ExtendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_timeStamping)); // finally, sign the certificate with the private key of the same KeyPair X509Certificate cert = certGen.generate(keyPair.getPrivate(), "BC");
private X509Certificate generateX509V3Certificate(final KeyPair keyPair, final X500Principal subject, final X500Principal issuer, final Date notBefore, final Date notAfter, final BigInteger serialNumber, final GeneralNames generalNames, final boolean isCA) throws GeneralSecurityException { Security.addProvider(new BouncyCastleProvider()); X509V3CertificateGenerator generator = new X509V3CertificateGenerator(); generator.setSerialNumber(serialNumber); generator.setIssuerDN(issuer); generator.setSubjectDN(subject); generator.setNotBefore(notBefore); generator.setNotAfter(notAfter); generator.setPublicKey(keyPair.getPublic()); generator.setSignatureAlgorithm("SHA256WithRSAEncryption"); generator.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(isCA)); generator.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(160)); generator.addExtension(X509Extensions.ExtendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_serverAuth)); if (generalNames != null) { generator.addExtension(X509Extensions.SubjectAlternativeName, false, generalNames); } return generator.generateX509Certificate(keyPair.getPrivate(), "BC"); }
@SuppressWarnings("deprecation") public X509Certificate newCertificateFor(X500Principal subject, PublicKey keyToCertify) { try { X509V3CertificateGenerator v3CertGen = new X509V3CertificateGenerator(); v3CertGen.setSerialNumber( serialNumber != null ? serialNumber : // must be positive BigInteger.valueOf(srand.nextLong()).abs().add(BigInteger.ONE)); v3CertGen.setIssuerDN(issuerPrincipal); v3CertGen.setNotBefore(validityStartDate); v3CertGen.setNotAfter(validityEndDate); v3CertGen.setSignatureAlgorithm(signatureAlgorithm); v3CertGen.setSubjectDN(subject); v3CertGen.setPublicKey(keyToCertify); JcaX509ExtensionUtils jcaX509ExtensionUtils = new JcaX509ExtensionUtils(); v3CertGen.addExtension(X509Extension.subjectKeyIdentifier, false, jcaX509ExtensionUtils.createSubjectKeyIdentifier(keyToCertify)); if (authorityKeyIdentifier!=null) v3CertGen.addExtension(X509Extension.authorityKeyIdentifier, false, authorityKeyIdentifier); X509Certificate pkCertificate = v3CertGen.generate(issuerKey.getPrivate(), "BC"); return pkCertificate; } catch (Exception e) { throw Exceptions.propagate(e); } }
X509V3CertificateGenerator serverCertGen = new X509V3CertificateGenerator(); X500Principal serverSubjectName = new X500Principal("CN=OrganizationName"); serverCertGen.setSerialNumber(new BigInteger("123456789")); serverCertGen.setIssuerDN(somename); serverCertGen.setNotBefore(new Date()); serverCertGen.setNotAfter(new Date()); serverCertGen.setSubjectDN(somename); serverCertGen.setPublicKey(serverPublicKey); serverCertGen.setSignatureAlgorithm("MD5WithRSA"); serverCertGen.addExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(serverPublicKey)); serverChain[0] = serverCertGen.generateX509Certificate(serverPrivateKey, "BC"); // note: private key of CA
PublicKey issPub = issKP.getPublic(); X509V3CertificateGenerator v3CertGen = new X509V3CertificateGenerator(); v3CertGen.setSerialNumber(BigInteger.valueOf(serialNo++)); v3CertGen.setIssuerDN(new X509Name(issDN)); v3CertGen.setNotBefore(new Date(System.currentTimeMillis())); v3CertGen.setNotAfter(new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 100))); v3CertGen.setSubjectDN(new X509Name(subDN)); v3CertGen.setPublicKey(subPub); v3CertGen.setSignatureAlgorithm("MD5WithRSAEncryption"); v3CertGen.addExtension( X509Extensions.SubjectKeyIdentifier, false, createSubjectKeyId(subPub)); v3CertGen.addExtension( X509Extensions.AuthorityKeyIdentifier, false, createAuthorityKeyId(issPub)); return v3CertGen.generateX509Certificate(issPriv);
X509V3CertificateGenerator generator = new X509V3CertificateGenerator(); generator.setSerialNumber(new BigInteger(serialNumber)); generator.setIssuerDN(signedByPrincipal); generator.setNotBefore(new Date(now)); generator.setNotAfter(new Date(now + duration)); generator.setSubjectDN(subject); generator.setPublicKey(heldKeyPair.getPublic()); generator.setSignatureAlgorithm("SHA256WithRSAEncryption"); generator.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(maxIntermediateCas)); X509Certificate certificate = generator.generateX509Certificate( signedByKeyPair.getPrivate(), "BC"); return new HeldCertificate(certificate, heldKeyPair);