4

There's a lot of formats for security objects. Sometimes you want the X509Certificate, sometimes you need it as a PEM encoded string. How do you go from a X509Certificate format to PEM?

Make this (X509Certificate):

  [0]         Version: 3
     SerialNumber: 95573
         IssuerDN: C=US,ST=California,OU=PDX,O=Example Inc.,CN=Example Cust Issuing CA 1
       Start Date: Wed Jan 13 14:21:12 PST 2016
       Final Date: Sat Jan 14 14:21:12 PST 2017
        SubjectDN: C=US,ST=California,OU=TEST,O=Example,CN=vm1452810069963
       Public Key: RSA Public Key
          modulus: 9c2b98b154cbd2bdaed82271e2324e73589356cab9a762b8ba7248fab236347eb44d19322696109e
                   [...]
                   c0868c88e5e7bc09baadb48cf85c631d
  public exponent: 10001
  Signature Algorithm: SHA256WITHRSA
        Signature: 2197491b50f69c317c7b930634d487744f4502cc
                   [...]
                   dfcb0a75ba67f94b958d2edc2c6cea9a
       Extensions: 
                   critical(false) 2.5.29.35 value = Sequence
Tagged [0] IMPLICIT 
    DER Octet String[32] 
Tagged [1]
    Tagged [4]
        DER Sequence
            DER Set
                DER Sequence
                    ObjectIdentifier(2.5.4.6)
                    PrintableString(US) 
            DER Set
                DER Sequence
                    ObjectIdentifier(2.5.4.8)
                    PrintableString(California) 
            DER Set
                DER Sequence
                    ObjectIdentifier(2.5.4.11)
                    PrintableString(PDX) 
            DER Set
                DER Sequence
                    ObjectIdentifier(2.5.4.10)
                    PrintableString(Example Inc.) 
            DER Set
                DER Sequence
                    ObjectIdentifier(2.5.4.3)
                    PrintableString(Example Cust Policy CA 1) 
Tagged [2] IMPLICIT 
    DER Octet String[3] 

                   critical(false) 2.5.29.14 value = DER Octet String[32] 

                   critical(true) BasicConstraints: isCa(false)
                   critical(true) KeyUsage: 0x80
                   critical(false) 1.3.6.1.5.5.7.1.1 value = Sequence
Sequence
    ObjectIdentifier(1.3.6.1.5.5.7.48.1)
    Tagged [6] IMPLICIT 
        DER Octet String[26]

into this (PEM format):

-----BEGIN CERTIFICATE-----
MIIEcDCCA1igAwIBAgIDAXVVMA0GCSqGSIb3DQEBCwUAMGsxCzAJBgNVBAYTAlVT
[...]
Ksl1vpZ3T96C6UnU3I9c4arhsSbfywp1umf5S5WNLtwsbOqa
-----END CERTIFICATE-----
drusolis
  • 862
  • 9
  • 21
  • If you're not going to use Bouncycastle, check out this SO post here: https://stackoverflow.com/questions/3313020/write-x509-certificate-into-pem-formatted-string-in-java/27914646 – André Gasser Jul 09 '19 at 09:19

1 Answers1

16
import org.bouncycastle.openssl.jcajce.JcaPEMWriter;

public static String x509CertificateToPem(final X509Certificate cert) throws IOException {
    final StringWriter writer = new StringWriter();
    final JcaPEMWriter pemWriter = new JcaPEMWriter(writer);
    pemWriter.writeObject(cert);
    pemWriter.flush();
    pemWriter.close();
    return writer.toString();
}

From what I've seen, the JcaPEMWriter can accept different formats and write those to PEM strings too. For example:

public static String convertCertToPem(final PKCS10CertificationRequest certRequest) throws IOException {
    final StringWriter writer = new StringWriter();
    final JcaPEMWriter pemWriter = new JcaPEMWriter(writer);
    pemWriter.writeObject(certRequest);
    pemWriter.flush();
    pemWriter.close();
    return writer.toString();
}

Same code as above except the input is a PCKS10CertificateRequest rather than X509Certificate.

drusolis
  • 862
  • 9
  • 21