How to generate, sign and import SSL certificate from Java

Question

Possible Duplicate:
Generate certificates, public and private keys with Java

I need to generate a self signed certificates at run time, sign them and import to the Java keystore. I can do this using "keytool" and "openssl" from command line in the following way:

keytool -import -alias root -keystore keystore.txt -file cacert.pem
keytool -genkey -keyalg RSA -keysize 1024 -alias www.cia.gov -keystore keystore.txt
keytool -keystore keystore.txt -certreq -alias www.cia.gov -file req.pem
openssl x509 -req -days 3650 -in req.pem -CA cacert.pem -CAkey cakey.pem -CAcreateserial -out reqsigned.pem 
keytool -import -alias www.cia.gov -keystore keystore.txt -trustcacerts  -file reqsigned.pem

I can, of course, ship my application with keytool and openssl binaries and execute the above commands from Java, but I'm looking for a cleaner approach which would allow me to do all of the above using pure Java.

Any libraries I can use ?

It is not Duplicate, because in this question asked about the certificate signing, besides others — Valeriy K., Oct 10 '19 at 13:21

Ray Hulha · Answer 1 · 2016-02-01T08:51:55.280

31

import java.io.FileOutputStream;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.Date;

// import sun.security.tools.keytool.CertAndKeyGen; // Use this for Java 8 and above
import sun.security.x509.CertAndKeyGen;
import sun.security.x509.X500Name;

public class UseKeyTool {

    private static final int keysize = 1024;
    private static final String commonName = "www.test.de";
    private static final String organizationalUnit = "IT";
    private static final String organization = "test";
    private static final String city = "test";
    private static final String state = "test";
    private static final String country = "DE";
    private static final long validity = 1096; // 3 years
    private static final String alias = "tomcat";
    private static final char[] keyPass = "changeit".toCharArray();

    // copied most ideas from sun.security.tools.KeyTool.java

    @SuppressWarnings("restriction")
    public static void main(String[] args) throws Exception {

        KeyStore keyStore = KeyStore.getInstance("JKS");
        keyStore.load(null, null);

        CertAndKeyGen keypair = new CertAndKeyGen("RSA", "SHA1WithRSA", null);

        X500Name x500Name = new X500Name(commonName, organizationalUnit, organization, city, state, country);

        keypair.generate(keysize);
        PrivateKey privKey = keypair.getPrivateKey();

        X509Certificate[] chain = new X509Certificate[1];

        chain[0] = keypair.getSelfCertificate(x500Name, new Date(), (long) validity * 24 * 60 * 60);

        keyStore.setKeyEntry(alias, privKey, keyPass, chain);

        keyStore.store(new FileOutputStream(".keystore"), keyPass);



    }
}

edited Feb 01 '16 at 08:51

answered Sep 05 '11 at 06:46

Ray Hulha

10,701
5
53
53

7

+1 for not requiring the BC dependencies – Jaime Hablutzel Feb 03 '14 at 03:18
1

Also see this: http://stackoverflow.com/questions/4065401/using-internal-sun-classes-with-javac – Ray Hulha Jul 10 '15 at 08:05
3

Importing and using classes from sun.* is a really bad idea. – Mike Deck Jul 17 '15 at 21:40
Because the API can change, yes, but in this case the API has been exceptionally stable. And I really like to solve things without the need for a 3rd party library. I am not sure why... – Ray Hulha Jul 18 '15 at 18:40
2

As per @demiurg code segment, he likes to sign it with ca-cert not with certificate own key. – Mohyt Oct 11 '16 at 19:35
True, but I had this code lying around and didn't have time to adapt it. So I thought better this answer than nothing. – Ray Hulha Oct 13 '16 at 01:01
I don't see where the certificate signed by CA in the code. As I understand from the question code certificate must be signed by CA. – Valeriy K. Oct 10 '19 at 12:00
Unfortunately, this solution doesn't work on Android because of the missing `sun.*` classes. – Mr.Yeah Feb 06 '20 at 11:38
Does BouncyCastle work on Android ? – Ray Hulha Feb 10 '20 at 18:07
Not able to import SUN libs it in Java 11. – Abhi May 14 '21 at 07:59

score 5 · Accepted Answer · edited May 23 '17 at 12:26

5

Use BouncyCastle to generate certificates. I believe it also allows you to import them to Java keystore.

Also your question seems to be very similar to this one.

edited May 23 '17 at 12:26

Community

1
1

answered Jan 08 '11 at 13:44

Eugene Mayevski 'Callback

45,135
8
71
121

Is there any documentation for this library !? I've been reading what they call a documentation for an hour already and could not even manage to understand what package should I download to use their lightweight API – Demiurg Jan 08 '11 at 16:28
@Demiurg As I understand, they call their library a "lightweight API". Isn't http://www.bouncycastle.org/latest_releases.html what you are looking for for download? – Eugene Mayevski 'Callback Jan 08 '11 at 16:40
1

It was actually a rhetorical question :) Looks like Bouncycastle can do what I'm looking for, but they really need a "getting started" page or something. On the above download page they have about 5 flavors of that library... – Demiurg Jan 08 '11 at 16:48
@Demiurg open-source was always lacking support and docs... – Eugene Mayevski 'Callback Jan 08 '11 at 16:49
It's not just OS, docs are usually the last thing to be done and as a consequence they are either rushed or infrequently updated. – Hiro2k Jan 08 '11 at 19:19
@Hiro2k in open-source there's a common tendency that as one has the source code, he doesn't need comprehensive docs, so why write separate docs? Yet I agree that docs are usually the secondary thing and they are often incomplete. One more reason is that there are plenty of coders on the market, but too little good tech.writers with programming knowledge. – Eugene Mayevski 'Callback Jan 08 '11 at 19:29
Guys, enough theory :) In practice, Bouncycastle has pretty comprehensive documentation in the form of Javadoc. Too comprehensive. What it lacks is a getting started guide. – Demiurg Jan 08 '11 at 19:49

How to generate, sign and import SSL certificate from Java

2 Answers2

Linked