7

Here what I have so far generating a Certificate for a User

    try {
        Security.addProvider(new BouncyCastleProvider()); // adding provider
                                                            // to
        String pathtoSave = "D://sureshtest.cer";

        KeyPair keyPair = generateKeypair();
        PublicKey publicKey = keyPair.getPublic();
        PrivateKey privateKey = keyPair.getPrivate();
        X509Certificate trustCert = createCertificate(null, "CN=CompanyName",
                "CN=Owner", publicKey, privateKey);
        java.security.cert.Certificate[] outChain = { trustCert, };
        trustCert.checkValidity();
        KeyStore outStore = KeyStore.getInstance("PKCS12");
        outStore.load(null, null);
        outStore.setKeyEntry("my own certificate", privateKey,
                "admin123".toCharArray(), outChain);
        OutputStream outputStream = new FileOutputStream(pathtoSave);
        outStore.store(outputStream, "admin123".toCharArray());
        outputStream.flush();
        outputStream.close();


    } catch (Exception e) {
        e.printStackTrace();
    }

The above code generate a certificate with a private and public key.

Now I want to sign that certificate with a signing certificate I've been issued by a certificate authority (CA). After that I'll grant that certificate to user.

I got some input from here and it seems that is not the required answer with my case.

No need for a full implementation, just a valid procedure or some hints will greatly help.

Community
  • 1
  • 1
Suresh Atta
  • 120,458
  • 37
  • 198
  • 307
  • 1
    Okay, so it generates the certificate--what is it specifically that you need help with? – chrylis -cautiouslyoptimistic- Jan 27 '14 at 07:50
  • @chrylis Now I want to sign that certificate ,before issuing to user. – Suresh Atta Jan 27 '14 at 07:52
  • That's great. Are you asking how to write Java code to do that using BouncyCastle, or are you wanting information on how to submit a CSR to a CA? Note that unless you're implementing a key-escrow system, it's generally considered bad form for the CA to generate the keys, since it doesn't need to know the private key. – chrylis -cautiouslyoptimistic- Jan 27 '14 at 07:53
  • Not to submit a CSR to a CA. I have already one valid CA certificate, Using that valid certificate I want to sign this generated certificate. Am I conceptually in a wrong direction ?? Or it cannot be done ? – Suresh Atta Jan 27 '14 at 07:55
  • 1
    What about the linked question makes it unsuitable for your case? It's performing the exact operation you're asking about. – chrylis -cautiouslyoptimistic- Jan 27 '14 at 07:59
  • How come that request came in between ?? Since I have the both the certificates in my hand can't I directly sign ? If no, then I have to change my Code in a way that sign and then write to file ?? – Suresh Atta Jan 27 '14 at 08:20

1 Answers1

1

You need to generate a CSR so you can invoke the code from Sign CSR using Bouncy Castle which is using the BC API. Add this to your code above:

        final PKCS10 request = new PKCS10(publicKey);
        final String sigAlgName = "SHA1WithRSA"; // change this to SHA1WithDSA if it's a DSA key
        final Signature signature = Signature.getInstance(sigAlgName);
        signature.initSign(privateKey);
        final X500Name subject = new X500Name(trustCert.getSubjectDN().toString());
        final X500Signer signer = new X500Signer(signature, subject);

        // Sign the request and base-64 encode it
        request.encodeAndSign(signer);
        final ByteArrayOutputStream baos = new ByteArrayOutputStream();
        final PrintStream writer = new PrintStream(baos);
        request.print(writer);
        // Remove -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST-----
        final String requestBase64 = new String(baos.toByteArray());
        String withoutTags = requestBase64.substring(41);
        withoutTags = withoutTags.substring(0, withoutTags.length() - 39);

        // org.bouncycastle.pkcs.PKCS10CertificationRequestHolder
        final PKCS10CertificationRequest holder = new PKCS10CertificationRequest(Base64.decode(withoutTags));
        // Feed this into https://stackoverflow.com/questions/7230330/sign-csr-using-bouncy-castle
Community
  • 1
  • 1
Dave B
  • 459
  • 5
  • 10