I have coded in java (using bouncy castle library)my CA certificate. and now I want to sign an end entity certificate with a given private key. here is my code :

           X500Principal dnNameIssuer = new X500Principal("CN=\"" + hashedValue + " CA\", OU=PKI, O=\"" + hashedValue + ", Inc\", L=Darmstadt, ST=Hessen, C=DE");
           X500Principal dnNameSubject = dnName;
           serialNumber = new BigInteger("123127956789") ;
           keyus = new KeyUsage(KeyUsage.digitalSignature); 

           ContentSigner  signer =   new JcaContentSignerBuilder("SHA512withECDSA").build(myprivateKey);



           Date D1 = new Date(System.currentTimeMillis() - 24 * 60 * 60 * 1000);
           Date D2 = new Date(System.currentTimeMillis() - 24 * 60 * 60 * 1000);
           AuthorityKeyIdentifier AKI = new AuthorityKeyIdentifier(keyBytesPublic); 

           X509v3CertificateBuilder certBldr =  new JcaX509v3CertificateBuilder(certroot,serialNumber, D1, D2, dnName, mypublicKey);
           certBldr.addExtension(X509Extension.authorityKeyIdentifier, true, AKI); 
           certBldr.addExtension(X509Extension.subjectAlternativeName, false,new GeneralNames(new GeneralName(GeneralName.rfc822Name,"PNeODZ3wV5m2UXmJiovxdwPKZdCkB87ESsk7H8vTZKU=")));
           certBldr.addExtension(X509Extensions.KeyUsage, true, keyus);
           certBldr.addExtension(new ASN1ObjectIdentifier("2.5.29.19"), false, new BasicConstraints(false));


                  // Build/sign the certificate.
                  X509CertificateHolder certHolder = certBldr.build(signer);

                  X509Certificate Endcert = new JcaX509CertificateConverter().setProvider("BC").getCertificate(certHolder);
                 `

I got an error enter image description here

Can you help me. Or when someone have another way to sign an end entity certificate by a CA certificate that will be a pleasure for me.

Thanks

The error is due to an unresolved dependency. You need something similar to this

<dependency>
    <groupId>org.bouncycastle</groupId>
    <artifactId>bcpkix-jdk15on</artifactId>
    <version>1.49</version>
</dependency>

You have some errors in your code

X500Principal dnNameIssuer = new X500Principal("CN=\"" + hashedValue + " CA\", OU=PKI, O=\"" + hashedValue + ", Inc\", L=Darmstadt, ST=Hessen, C=DE");

Avoid creating strings. Use the ca certificate issuer name extracted from X509

 X509Certificate cacert =...
 X500Name issuer = X500Name.getInstance(cacert.getSubjectX500Principal().getEncoded());

This dates are in the past

Date D1 = new Date(System.currentTimeMillis() - 24 * 60 * 60 * 1000);
Date D2 = new Date(System.currentTimeMillis() - 24 * 60 * 60 * 1000);

Create something similar to this (+ 1 day)

Date D1 = new Date();
Date D2 = new Date(System.currentTimeMillis() + VALIDITY_PERIOD);

It's also common to add keyEncipherment to keyUsage

keyus = new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment);

And also create authorityKeyIdentifier with cacert

 X509ExtensionUtils extUtils = new X509ExtensionUtils( 
 new SHA1DigestCalculator()); 
 certBldr.addExtension(Extension.authorityKeyIdentifier, false,  
  extUtils.createAuthorityKeyIdentifier(caCert))  

You have a full example of CA in project ejbca. This is the class you need.

Also here is a full example to create e final entity cert (extracted from here)

public static X509CertificateHolder buildEndEntityCert(X500Name subject,
        AsymmetricKeyParameter entityKey, AsymmetricKeyParameter caKey, 
        X509CertificateHolder caCert, String ufn) throws Exception
{
    SubjectPublicKeyInfo entityKeyInfo = SubjectPublicKeyInfoFactory.
            createSubjectPublicKeyInfo(entityKey);

    if(subject==null)
        subject = new X500Name("CN = BETaaS Gateway Certificate");

    X509v3CertificateBuilder certBldr = new X509v3CertificateBuilder(
            caCert.getSubject(),
       BigInteger.valueOf(1),
       new Date(System.currentTimeMillis()),
       new Date(System.currentTimeMillis() + VALIDITY_PERIOD),
       subject,
       entityKeyInfo);

    X509ExtensionUtils extUtils = new X509ExtensionUtils(
            new SHA1DigestCalculator());

   certBldr.addExtension(Extension.authorityKeyIdentifier, false, 
        extUtils.createAuthorityKeyIdentifier(caCert))
    .addExtension(Extension.subjectKeyIdentifier, false, 
            extUtils.createSubjectKeyIdentifier(entityKeyInfo))
     .addExtension(Extension.basicConstraints, true, 
            new BasicConstraints(false))
     .addExtension(Extension.keyUsage, true, new KeyUsage(
            KeyUsage.digitalSignature | KeyUsage.keyEncipherment))
     .addExtension(Extension.subjectAlternativeName, false, new GeneralNames(
            new GeneralName(GeneralName.rfc822Name, ufn)));

   AlgorithmIdentifier sigAlg = algFinder.find(ALG_NAME);
   AlgorithmIdentifier digAlg = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlg);

   ContentSigner signer = new BcECDSAContentSignerBuilder(sigAlg, digAlg).build(caKey);

   return certBldr.build(signer);
}

Here is basic code with bouncy castle to issue a certificate given a CA certificate, the CA private key, the subject (i.e. to be issued certificate) name and subject public key

  public static X509Certificate issueCertificate(
      @NotNull X500Name subject,
      @NotNull PublicKey subjectPublicKey,
      @NotNull PrivateKey caPrivateKey,
      @NotNull X509Certificate caCert) throws CertificateEncodingException, IOException, NoSuchAlgorithmException {

    X509CertificateHolder caCertHolder = new JcaX509CertificateHolder(caCert);
    X500Name issuer = caCertHolder.getSubject();

    X509v3CertificateBuilder certificateBuilder = createCertificateBuilder(issuer, subject, subjectPublicKey);

    JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils();

    certificateBuilder.addExtension(Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCertHolder))
        .addExtension(Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(subjectPublicKey))
        .addExtension(Extension.basicConstraints, true, new BasicConstraints(false))
        .addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment));

    return buildX509Certificate(certificateBuilder, caPrivateKey, SHA_256_WITH_RSA);
  }

  private static X509v3CertificateBuilder createCertificateBuilder(X500Name issuerName, X500Name subjectName, PublicKey publicKey) {
    return new X509v3CertificateBuilder(
          issuerName,
          BigInteger.ONE,
          Timestamp.valueOf(LocalDateTime.now().minusDays(1L)),
          Timestamp.valueOf(LocalDateTime.now().plusYears(2L)),
          subjectName,
          SubjectPublicKeyInfo.getInstance(publicKey.getEncoded()));
  }

  private static X509Certificate buildX509Certificate(X509v3CertificateBuilder certificateBuilder, PrivateKey privateKey, String algorithm) {
    ContentSigner contentSigner = buildContentSigner(algorithm, privateKey);
    X509CertificateHolder certificateHolder = certificateBuilder.build(contentSigner);
    try {
      return new JcaX509CertificateConverter().setProvider("BC").getCertificate(certificateHolder);
    } catch (CertificateException e) {
      throw new ApplicationException(e);
    }
  }

  private static ContentSigner buildContentSigner(String algorithm, PrivateKey privateKey) {
    try {
      return new JcaContentSignerBuilder(algorithm)
          .setProvider("BC")
          .setSecureRandom(SecureRandomFactory.getInstance())
          .build(privateKey);
    } catch (OperatorCreationException e) {
      throw new ApplicationException(e);
    }
  }