6

tl,dr; Is there a native Java17 solution to generate self-signed certificate, either via standard library (very unlikely) or some slim, lightweight library?

There is a similar question (Access `sun.security.x509` in JDK 11 without modules?, asked by me) because starting with JDK11 access to internal JDK packages has been limited thus it's not possible to use classes from sun.security.x509. Up until JDK17 there was possibility to circumvent it with certain compiler configuration to flag to open those packages. This changed with JDK17, which removed that option.

From what I was able to gather current solutions are either:

  1. BouncyCastle - but it's a hefty 5MB swiss-knife security library thus using it only for generating certificate seems somewhat wasteful.
  2. calling directly keytool java tool, but this has two downsides: calling external tool is slower and it requires creating keystore file.

Currently (2) seems more convenient in my usecase but I would love to find third option - native, lightweight solution.

EDIT: there is OpenJDK issue: JDK-8058778: New APIs for creating certificates and certificate requests and I hope one day it would be implemented...

Wojtek
  • 1,845
  • 1
  • 14
  • 33

1 Answers1

0

If anyone is interested, basic and crude implementation relying on keytool is available here: KeytoolCertificateGenerator.java

Wojtek
  • 1,845
  • 1
  • 14
  • 33
  • Does it allow generating only self-signed certificates? – Max Sep 02 '22 at 22:33
  • Yes, it only allows self-signed as for proper certificate you need to contact proper CA. In that case you could use [acme4j](https://github.com/shred/acme4j) to obtain Let's Encrypt certificate, but that is slightly different use-case. – Wojtek Sep 03 '22 at 08:47
  • Actually, I don't need real CA, I did some certificate chain with "CA" for test purposes with bouncy castle, but I am looking for another way to create certificates, I found your questions and for now, I see only keytool via processbuilder and sun.security with --exports option, probably you found a better way to create certificates? – Max Sep 03 '22 at 22:32
  • No, we ended up with `keytool` option for now, there is OpenJDK issue: [JDK-8058778: New APIs for creating certificates and certificate requests](https://bugs.openjdk.org/browse/JDK-8058778) and I hope one day it would be implemented but for now we wanted to adopt never Java versions and `keytool` was the best middleground for us (least dependencies, lower impact on resources and relatively compatible). I think it should be possible to use own CA to sign certificate from CSR using `keytool` but that was out of scope for us. – Wojtek Sep 04 '22 at 14:24