2

After tons of search, I didn't find how to make equivalent of following command in Java code : 

openssl pkcs12 -cacerts -in /path/to/file.p12 -noout

to get only ca certificates from this p12 or openssl pkcs12 -clcerts -in /path/to/file.p12 -noout to get the certificate

In java, I load file.p12 so all this certificates are stored in the PKCS12 keystore but cannot differentiate which is CA cert and which is simple cert. How to do that ?

(In my p12, I have my certificate and N CA certificate which have signed it : CA 2 has signed the certificate, CA 3 has signed the CA 2 certificates ..., CA N has signed the CA N-1 certificates)

2) Another question in the same way : is there a way to order x509 certificate list to obtain (ca 1, ... ca N), I used :

CertificateFactory certFact = CertificateFactory.getInstance("X.509");
CertPath path = certFact.generateCertPath(myCertifList);

But the list need to be already ordered contrary to what I hoped.

3) Is fullchain certificates order guaranteed ? What if Let's Encrypt for example change its strategy and change way to build chain and fullchain in the way we can't rely on actual cert order ? Thank you very much for help !

Kharlan
  • 31
  • 1
  • 3
  • Root CA certificates are self-signed. The major difference to custom self-signed certificates is that they are listed in the trusted certificate store of Java. See also [this question](http://stackoverflow.com/questions/3508050/how-can-i-get-a-list-of-trusted-root-certificates-in-java). – Robert Nov 10 '16 at 17:29

1 Answers1

1

The practical way a P12 is issued is: with a single PrivateKey and corresponding Certificate Chain (general internet standard).

You can read more about this in these links: PKCS#12, Chain of Trust and Intermedial CA.

Usually (almost all the time), the user's certificate will be the first certificate (most important) in the chain, followed by the least important ones (Sub CA's and CA's, CA being the last).

Almost all the softwares and libraries out there follow this approach.

So, it is safe to say that the certificate chain will be ordered (however, there is possibility that the chain may not be complete, you could only have user's certificate, or the CA certificate might not be there after the Sub CA's certificate. This highly depends on the CA that issued the P12/Certificate chain). But, you will find the user's certificate at the first (zeroth) position.

If you need to make sure that the chain is complete and ordered you can have your own defensive method that does this. You can identify the type of certificate (CA, SubCA or user) based on the SubjectDN and the IssuerDN fields of the certificate.

If the SubjectDN equals IssuerDN, then it is a CA certificate, and then identify the next certificate (SubCA), if the certificate's IssuerDN is equal to SubjectDN of the CA, then it is the next in the chain, and so on..

always_a_rookie
  • 4,515
  • 1
  • 25
  • 46