1

I have a circumstance where I need to store one or more public keys for use in authentication. I would like to store them in a KeyStore as TrustedCertificates - is there a way to do this, ideally using standard java.security classes?

I have seen that I can generate certificates with Bouncycastle, but most examples seem to show examples of chains of trust, whereas in my case I have individual trusted keys. Also, all the examples I have seen deal with key-pairs, but I am only interested in the set of public keys provided. Is it possible to create a certificate containing only a public key?

flightlessbird
  • 413
  • 3
  • 9
  • Okay, the question is, do you want a `Certificate` like an X509Certificate, or do you want to use this as a client authentication mechanism using a PKCS12 file? If you have a PKCS12 file, then you need the corresponding private key to create a PKCS12 file out of the private key and the X509Certificate. I'm not sure what you mean by "individual trusted keys", the whole point of a chain of trust is that the CA signs the X509Certificate, and if the CA is trusted, then so are all the certificates. For this, there is a CA which provides the X509Certificate by signing the PKCS10 CSR. – EpicPandaForce Nov 22 '14 at 19:37
  • 1
    I personally had to mess around with this a week ago or two, but I don't have enough data about your architecture to properly answer the question. – EpicPandaForce Nov 22 '14 at 19:38
  • Technically, a public key isn't really worth anything for the sake of SSL client-certificate authentication, because it needs a private key too. But if that's not what you need it for, then we might get somewhere. – EpicPandaForce Nov 22 '14 at 19:39
  • 1
    This might be of interest to you: http://stackoverflow.com/a/26782357/2413303 – EpicPandaForce Nov 22 '14 at 19:40
  • I am using the keys to verify signed JWTs (verifying cryptographic signatures to establish trust in claims). As such I only need a set of public keys. – flightlessbird Nov 22 '14 at 20:37

1 Answers1

2

Short answer: you cannot create certificate without private key.

Long answer: google "java create self signed certificate programmatically", e.g.: https://www.mayrhofer.eu.org/post/create-x509-certs-in-java/

ursa
  • 4,404
  • 1
  • 24
  • 38