I have a program in Java which currently uses private JDK classes (CertAndKeyGen and X500Name) to generate self-signed X.509 certificates.
There are too many problems with this approach:
- the internal package(s) keep changing:
- "sun.security.x509.CertAndKeyGen", // Oracle/Sun/OpenJDK 6,7
- "sun.security.tools.keytool.CertAndKeyGen", // Oracle/Sun/OpenJDK 8
- "com.ibm.security.x509.CertAndKeyGen", // IBM SDK 7
- "com.ibm.security.tools.CertAndKeyGen" // IBM SDK 8
- Apparently a JDK 7 update (u111?) recently changed the package listed above
- Java 9 will hide these classes
I would like to convert this code to use standard, supported JDK classes.
I have looked at using the ill-named CertificateFactory.generateCertificate() methods, but no luck: they cannot generate any certificate, they are just able to load an existing one.
Does anybody know a standard JDK API that can generate a self-signed certificate?
This is as far as I could go:
KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA");
generator.initialize(2048, SecureRandom.getInstance("SHA1WithRSA"));
KeyPair keyPair = generator.generateKeyPair();
PrivateKey privatekey = keyPair.getPrivate();
X500Principal principal = new X500Principal(dn);
CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
// How to generate the self-signed certificate from there?
// certFactory.generate(inputStream) // only able to load an existing certificate
Note:
- We do not want to introduce a dependency on bouncy-castle if at all possible
- I already know of
X509V3CertificateGenerator
- I already know of
- We do not want either to invoke
keytoolvia aProcessBuilder:)
