Generating the CSR using BouncyCastle API

Question

I am new to the security side of Java and stumbled across this library called BouncyCastle. But the examples that they provide and the ones out on the internet ask to use

return new PKCS10CertificationRequest("SHA256withRSA", new X500Principal(
    "CN=Requested Test Certificate"), pair.getPublic(), null, pair.getPrivate()

But when I use PKCS10CertificationRequest, it looks like it is deprecated. So I started looking at another method where I use CertificationRequest class. But I am really confused, the constructor does not take the same parameters instead it takes CertificationRequestInfo class which I am not sure how to fill up.

CertificationRequest request = new CertificationRequest(...);

It would be awesome if someone could help me figure out how to make a CSR so that I can send it to the server for getting it signed.

score 39 · Accepted Answer · answered Dec 12 '13 at 17:32

39

With the recent versions of BouncyCastle it is recommended to create the CSR using the org.bouncycastle.pkcs.PKCS10CertificationRequestBuilder class.

You can use this code snipppet:

KeyPair pair = generateKeyPair();
PKCS10CertificationRequestBuilder p10Builder = new JcaPKCS10CertificationRequestBuilder(
    new X500Principal("CN=Requested Test Certificate"), pair.getPublic());
JcaContentSignerBuilder csBuilder = new JcaContentSignerBuilder("SHA256withRSA");
ContentSigner signer = csBuilder.build(pair.getPrivate());
PKCS10CertificationRequest csr = p10Builder.build(signer);

answered Dec 12 '13 at 17:32

Jcs

13,279
5
53
70

Thanks .. How do I print the CSR? – Fox Dec 12 '13 at 18:39
2

I got it .. did it with the help of PEMWriter class .. Thanks for the help. – Fox Dec 12 '13 at 19:22
3

For new code I'd suggest using JcaPEMWriter instead of PEMWriter. Same interface but PEMWriter is now deprecated. – Tim Mattison Feb 25 '16 at 12:17
How can this be done with smartcard? Since the private key is on the card itself? – codenamezero Jun 19 '17 at 15:39
In that case the signature of the PKCS#10 request is performed by the smartcard. – Jcs Jun 22 '17 at 02:20
@Jcs how can I pass the other information in csr generation like organisation unit, location, state , country , validity etc. ? – Vikram Singh Shekhawat Mar 03 '20 at 12:18
2

@VikramSinghShekhawat you can add these information in the X500Principal. For instance new X500Principal("CN=Requested Test Certificate, O=Test Inc, C=US") – Jcs May 01 '20 at 18:32
For those looking for a maven/gradle package containing these classes: https://mvnrepository.com/artifact/org.bouncycastle/bcpkix-jdk15to18 – user1053510 Apr 01 '21 at 12:46

score 2 · Answer 2 · answered Jun 14 '21 at 10:36

It's really simmilar to Jcs's answer, it is just a little bit supplemented.

Dont forget to add:

Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());

And the csr generate:

    KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", "BC");
    keyPairGenerator.initialize(4096);
    KeyPair keyPair = keyPairGenerator.generateKeyPair();
    
    PKCS10CertificationRequestBuilder p10Builder = new JcaPKCS10CertificationRequestBuilder(
            new X500Principal("OU=Try, C=US## Heading ##"), keyPair.getPublic());

    JcaContentSignerBuilder csBuilder = new JcaContentSignerBuilder("SHA256withRSA");
    ContentSigner signer = csBuilder.build(keyPair.getPrivate());
    PKCS10CertificationRequest csr = p10Builder.build(signer);

    JcaPEMWriter jcaPEMWriter = new JcaPEMWriter(new FileWriter("cert/test.csr"));
    jcaPEMWriter.writeObject(csr);
    jcaPEMWriter.close();

I think a useful link

Generating the CSR using BouncyCastle API

2 Answers2

Linked

Related