Is there a way to pretty print an X509Certificate?

Question

I have a web page where I show the details of an SSL certificate which is being used with the server. I thought that toString() might be okay, but it looks like this:

  [0]         Version: 3
         SerialNumber: 117262955582477610212812061435665386300
             IssuerDN: CN=localhost
           Start Date: Wed Jun 13 15:15:05 EST 2012
           Final Date: Tue Jun 08 15:15:05 EST 2032
            SubjectDN: CN=localhost
           Public Key: DSA Public Key
            y: 6ef96c2ace616280c5453dda2[TRUNCATED BY ME]

  Signature Algorithm: SHA1withDSA
            Signature: 302c021450b1557d879a25ccf6b89e7ac6de8dc6
                       0b13df7e0214559cdc810cdb1faa3a645da837cd
                       5efdeb81d62e
       Extensions: 
                       critical(true) 2.5.29.17 value = DER Sequence
    Tagged [7] IMPLICIT 
        DER Octet String[4]

The problem I have with it is the obscure representation of extensions. I would prefer to see "subjectAltNames" and the list of alternative names, like what I can see in my web browser when I look at the certificate info.

Is there some way to do this? I have the entirety of BouncyCastle on my class path so I had hoped I could find it in there, but I don't seem to be able to find it.

Worst comes to worst I know I can put time into getting all the bits and pieces out myself, but I don't know if I will miss an extension someone might expect to find in there.

score 3 · Accepted Answer · answered Jun 19 '12 at 04:38

Answering my own question with my own solution.

It turns out that this crappy toString() output only happens when using Sun's implementation of X509Certificate. When using BouncyCastle's, it looks a lot better (or more detailed, at least.)

It just turned out that we weren't initialising BC's provider before the page was rendered. Initialisation was delayed until we wanted to use it to actually generate a certificate and now that it's done on webapp startup, the toString() looks a lot better.

score 1 · Answer 2 · edited May 23 '17 at 11:46

1

Pretty much all the "bits and pieces" should be available from the standard X509Certificate class:

http://docs.oracle.com/javase/6/docs/api/java/security/cert/X509Certificate.html

You should be able to pretty easily format whatever you want, however you want. You can also access and iterate through the "getIssuerAlternativeNames()" collection.

PS:

Here's an excellent link about implementing the X509Certificate class:

http://www.mayrhofer.eu.org/create-x509-certs-in-java

And here's a link from somebody who's using Bouncy Castle (the solution also involves the above link):

Generating X509Certificate using bouncycastle X509v3CertificateBuilder

edited May 23 '17 at 11:46

Community

1
1

answered Jun 13 '12 at 05:55

paulsm4

114,292
17
138
190

The "bits and pieces" are not at all means to pretty print a X509 certificate. There are lots of these and it's significant amout of work to properly format and print (text console) or display (Swing, JavaFX, HTML) all of these data. I would expect there is an open source code available for this as this is rather a kind of common problem. And definitely the question was not about implementing X509 certificate. – Krzysztof Tomaszewski May 08 '20 at 15:07

score 0 · Answer 3 · edited Mar 23 '15 at 14:39

0

Try PEMReader API from BC Provider

byte[] content = data.getBytes();
// create new buffered reader
PEMReader pemReader = new PEMReader(br, null);    
Object obj = pemReader.readObject();

once you print the obj it will give you the toString format

edited Mar 23 '15 at 14:39

divanov

6,173
3
32
51

answered Mar 20 '14 at 14:17

anish

6,884
13
74
140

Is there a way to pretty print an X509Certificate?

3 Answers3