11

I have a program in Java which currently uses private JDK classes (CertAndKeyGen and X500Name) to generate self-signed X.509 certificates. There are too many problems with this approach:

  • the internal package(s) keep changing:
    • "sun.security.x509.CertAndKeyGen", // Oracle/Sun/OpenJDK 6,7
    • "sun.security.tools.keytool.CertAndKeyGen", // Oracle/Sun/OpenJDK 8
    • "com.ibm.security.x509.CertAndKeyGen", // IBM SDK 7
    • "com.ibm.security.tools.CertAndKeyGen" // IBM SDK 8
    • Apparently a JDK 7 update (u111?) recently changed the package listed above
  • Java 9 will hide these classes

I would like to convert this code to use standard, supported JDK classes.

I have looked at using the ill-named CertificateFactory.generateCertificate() methods, but no luck: they cannot generate any certificate, they are just able to load an existing one.

 

Does anybody know a standard JDK API that can generate a self-signed certificate?

 

This is as far as I could go:

KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA");
generator.initialize(2048, SecureRandom.getInstance("SHA1WithRSA"));
KeyPair keyPair = generator.generateKeyPair();
PrivateKey privatekey = keyPair.getPrivate();

X500Principal principal = new X500Principal(dn);

CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
// How to generate the self-signed certificate from there?
// certFactory.generate(inputStream) // only able to load an existing certificate

 

Note:

  • We do not want to introduce a dependency on bouncy-castle if at all possible
    • I already know of X509V3CertificateGenerator
  • We do not want either to invoke keytool via a ProcessBuilder :)
JnRouvignac
  • 807
  • 5
  • 19
  • I noticed this question: http://stackoverflow.com/questions/21410695/how-to-programmatically-generate-a-self-signed-certificate but it attracted answers that focused on the code, but not the question. – JnRouvignac Aug 25 '16 at 11:19
  • Of course it is only now that I find a similar question: http://stackoverflow.com/questions/36220377/alternative-to-certandkeygen-for-self-signed-certificate-generation-in-java?rq=1 – JnRouvignac Aug 26 '16 at 14:52
  • I have submitted a RFE for Java to Oracle. Let's see when I'll get an answer. – JnRouvignac Aug 26 '16 at 14:53
  • 1
    The bouncycastle library has an excellent class, [X509v3CertificateBuilder](https://www.bouncycastle.org/docs/pkixdocs1.5on/org/bouncycastle/cert/X509v3CertificateBuilder.html) that does what you want. Java 8 does not have any built-in support for this. You can write your own code, but then you'd just be duplicating the open source bouncycastle code. So why not bouncycastle? – President James K. Polk Aug 28 '16 at 14:45
  • I am not the one who decides :) It looks like we'll have no choice. – JnRouvignac Aug 29 '16 at 21:40
  • I can not believe that there is no Java Standard Support for this?! Unfortunatly we can not vote for bugs anymore: https://bugs.java.com/bugdatabase/view_bug.do?bug_id=8058778 – Lonzak Oct 15 '18 at 08:41
  • @JnRouvignac - have you made any progress since then with non-BC solutions? :-) – Wojtek Apr 10 '20 at 20:33
  • We wrote our own certificate builder: https://bugster.forgerock.org/jira/browse/OPENDJ-6258 – JnRouvignac Apr 12 '20 at 15:45

1 Answers1

4

Ok, then I guess it does not exist.

The RFE I submitted to the JDK has been accepted and there is now an official bug for it: http://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8165481

JnRouvignac
  • 807
  • 5
  • 19
  • 3
    It was flagged as a duplicate. The request is still open since 2014 though: https://bugs.java.com/bugdatabase/view_bug.do?bug_id=8058778 – Lonzak Oct 15 '18 at 08:38