Package com.ibm.security.certclient.util
This package can create a self-signed certificate with no extensions or with the requested extensions. The self-signed certificate and private key can be saved in the supplied key store. If a keyPair value is not supplied, a keyPair is created with the self-signed certificate generation request.
Creating a self-signed certificate with the supplied extensions.
In the following example, the keyPair is created for
you.
// Create a self-signed certificate with the requested extensions.
int keysize = 192; // size of key
String keyType = "EC" // Valid key types are: RSA,DSA,EC. Not used if keyPair is provided.
String signatureAlgorithm = "SHA256withECDSA"; // signature algorithm
int validDays = 365; // period of certificate validity
Date notBefore = null; // Date that this certificate validity begins.
// Must be no greater than 3 days prior to the issuing UTC time. If null,
// current Date will be used.
boolean useSSKid = true; // if true use short form of
// Subject Key Identifier
// else use long form
String subjectDN = "cn=test,o=Tivoli,c=US";
// Distinguished name which will
// be used for both the subject
// and issuer of this certificate
String[] acceptableUse = {"digital_signature", "non_repudiation",
"key_encipherment",
"data_encipherment", "encipher_only", "decipher_only" };
String[] acceptableExtUse = {"ServerAuth_Id", "ClientAuth_Id",
"CodeSigning_Id", "EmailProtection_Id",
"IPSecEndSystem_Id", "IPSecTunnel_Id",
"IPSecUser_Id", "TimeStamping_Id" };
String[] acceptableSan = { "newUser@us.ibm.com", "www.ibm.com",
"http://www.tivoli.com/index", "192.100.123.251" };
List<String> san = Arrays.asList(acceptableSan); // (optional) list of
// subject alternate
// names. Specify null
// to indicate
//no value is being
// specified.
List<String> kuse = Arrays.asList(acceptableUse); // (optional) list of
// Key Usage
// strings.
List<String> extkuse = Arrays.asList(acceptableExtUse);//(optional) list
// of Extended Key
// Usage strings.
String provider = "IBMJCE"; // name of the crypto
// provider to be used
KeyPair keyPair = null; // keypair to use for private/public keys
// if null, keypair will be generated
boolean isCA = true; // true - create this certificate as a CA with basic constraints
// false - create this certificate as an end-user without basic constraints
// Create the self-signed certificate with requested extensions
PkSsCertificate sscert = PkSsCertFactory.newSsCert(
keysize,
keyType,
signatureAlgorithm,
subjectDN,
validDays,
notBefore,
useSSKid,
san,
kuse,
extkuse,
provider,
keyPair,
isCA);
PrivateKey key = sscert.getKey(); // Extract the private key for the
// self-signed certificate
PublicKey publicKey = sscert.getPublicKey(); // Extract the public key
X509Certificate cert = sscert.getCertificate(); // Extract the self-signed
// certificate
// Create keystore
KeyStore store = KeyStore.getInstance("JKS");
store.load(null, PASSWORD.toCharArray());
// Save this self-signed certificate along with the private key
// in the keystore
sscert.setToKeySTore("alias", "ksPassword", keystore);
Creating an X509Certificate from a PKCS10 certificate request by using the Pk10CertFactory.newCert( ) method
// Use the Key Cert Management class "PkEeReqFactory" to create
// a CertificateRequestTransaction from which a PKCS10 certificate request
// can be obtained.
PkEeCertReqTransaction crt = null;
try {
crt = PkEeCertReqFactory.newCertRequest(
keysize, // Size of key.
// Not used if a keyPair is provided.
subject, // The Relative DN for the subject.
// Prepended to the value of "dn" to create the subject DN.
validDays, // Period of certificate validity.
keyType // valid key types are: RSA/DSA/EC
signatureAlgorithm, // signature algorithm
useShortSubjectKeyId, // If true use short form of Subject Key Id
san, // List of subject alternate names.
kuse, // List of Key Usage strings.
extkuse, // List of Extended Key Usage strings.
iafile, // initial authorisation file
revPwd, // password to be used when revoking this certificate
dn, // domain name for certificate request.
);
} catch (Exception ex) {
System.out.println("Exception thrown while creating PkEeCertReqTransaction.");
}
// Lift the PKCS10 certificate request from the CertificateRequestTransaction object
byte[] derPKCS10 = null;
try {
derPKCS10 = crt.getPKCS10CertReq();
} catch (Exception ex) {
System.out.println("Exception thrown while obtaining PKCS10 request.");
}
CertificationRequest cr = null;
try {
// Create a CertificationRequest object
cr = new CertificationRequest(derPKCS10);
// Write the BASE64 encoded PKCS10 request to a file
cr.writeBASE64(PKCS10CertificateRequestFile);
} catch (Exception ex) {
System.out.println("Exception thrown while writing PKCS10 request to file.");
}
Pk10Certificate myPk10Certificate = null;
X509Certificate myX509Certificate = null;
try {
// Create the certificate from the certificate request
Date notBeforeDate = Date();
myPk10Certificate = Pk10CertFactory.newCert(PKCS10CertificateRequestFile,
(Date)notBeforeDate,
365,
(X509Certificate)signersCert,
(PrivateKey)signersPrivateKey);
// Obtain the X509Certificate created from the Pk10Certificate object
myX509Certificate = myPk10Certificate.getCertificate();
}
catch (PkRejectionException e)
{
System.out.println("Exception thrown while creating certificate.");
}