I'm using the following code to generate a certificate chain with a root certificate, an intermediate and an end certificate:
TestCertificates.java
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.AuthorityKeyIdentifier;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.X509v1CertificateBuilder;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
import org.bouncycastle.crypto.params.AsymmetricKeyParameter;
import org.bouncycastle.crypto.util.PrivateKeyFactory;
import org.bouncycastle.jce.X509KeyUsage;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder;
import org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder;
import org.bouncycastle.operator.bc.BcRSAContentSignerBuilder;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import javax.security.auth.x500.X500Principal;
import javax.security.auth.x500.X500PrivateCredential;
import java.io.FileOutputStream;
import java.math.BigInteger;
import java.security.*;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.security.cert.Certificate;
public class TestX509Certificates {
private static final int VALIDITY_PERIOD = 7 * 24 * 60 * 60 * 1000; // one week
private static final int RSA_SEC_PARAM = 1024;
private static SecureRandom random = new SecureRandom();
private static final String X509_CERTIFICATE_SIGNATURE_ALGORITHM = "SHA256WITHRSAENCRYPTION";
private static final String ROOT_ALIAS = "root";
private static final String INTERMEDIATE_ALIAS = "intermediate";
private static final String END_ENTITY_ALIAS = "end";
public static KeyPair generateRSAKeyPair()
throws Exception {
KeyPairGenerator kpGen = KeyPairGenerator.getInstance("RSA", "BC");
kpGen.initialize(RSA_SEC_PARAM, random);
return kpGen.generateKeyPair();
}
/**
* Generate a sample V1 certificate to use as a CA root certificate
*/
public static X509Certificate generateRootCert(KeyPair pair) throws Exception {
// Pick the public-key signature algorithm to sign certificates. We are using RSA
AlgorithmIdentifier sigAlgId = new DefaultSignatureAlgorithmIdentifierFinder().find(X509_CERTIFICATE_SIGNATURE_ALGORITHM);
// Pick the algorithm to perform the hashing on the information to be signed. We
// sign the resulting hash
AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId);
// Retrieve the private key which is used to sign the certificate
AsymmetricKeyParameter privateKeyAsymKeyParam = PrivateKeyFactory.createKey(pair.getPrivate().getEncoded());
// Retrieve the pulic key information used by the subject to verify
// the signature
SubjectPublicKeyInfo subPubKeyInfo = SubjectPublicKeyInfo.getInstance(pair.getPublic().getEncoded());
ContentSigner sigGen = new BcRSAContentSignerBuilder(sigAlgId, digAlgId).build(privateKeyAsymKeyParam);
// Define the validity period. The certificate may expire before the
// end date but not after.
Date startDate = new Date(System.currentTimeMillis());
Date endDate = new Date(System.currentTimeMillis() + VALIDITY_PERIOD);
X500Name name = new X500Name("CN=Root");
// Create unique serial number for the certificate (need to check if it
// it's actually unique)
BigInteger serialNum = BigInteger.valueOf(new SecureRandom().nextLong());
// Generate the actual certificate
X509v1CertificateBuilder certGen = new X509v1CertificateBuilder(name, serialNum, startDate, endDate, name, subPubKeyInfo);
// Sign it
X509CertificateHolder certificateHolder = certGen.build(sigGen);
return new JcaX509CertificateConverter().setProvider("BC").getCertificate(certificateHolder);
}
/**
* Generate a sample V3 certificate to use as an intermediate CA certificate
*/
public static X509Certificate generateIntermediateCert(PublicKey intKey, PrivateKey caKey, X509Certificate caCert) throws Exception {
ASN1Sequence seq = null;
seq = (ASN1Sequence) new ASN1InputStream(intKey.getEncoded()).readObject();
SubjectPublicKeyInfo parentPubKeyInfo = new SubjectPublicKeyInfo(seq);
// Define the validity period. The certificate may expire before the
// end date but not after.
Date startDate = new Date(System.currentTimeMillis());
Date endDate = new Date(System.currentTimeMillis() + VALIDITY_PERIOD);
ContentSigner signer = null;
signer = new JcaContentSignerBuilder(X509_CERTIFICATE_SIGNATURE_ALGORITHM).build(caKey);
// Create unique serial number for the certificate (need to check if it
// it's actually unique)
BigInteger serialNum = BigInteger.valueOf(new SecureRandom().nextLong());
X509v3CertificateBuilder certGen = null;
certGen = new JcaX509v3CertificateBuilder(
caCert,
serialNum,
startDate,
endDate,
new X500Principal("CN=Intermediate Certificate"),
intKey)
.addExtension(
new ASN1ObjectIdentifier("2.5.29.35"),
false,
new AuthorityKeyIdentifier(parentPubKeyInfo))
.addExtension(
new ASN1ObjectIdentifier("2.5.29.19"),
false,
new BasicConstraints(false)) // true if it is allowed to sign other certs
.addExtension(
new ASN1ObjectIdentifier("2.5.29.15"),
true,
new X509KeyUsage(
X509KeyUsage.digitalSignature |
X509KeyUsage.nonRepudiation |
X509KeyUsage.keyEncipherment |
X509KeyUsage.dataEncipherment));
// Build/sign the certificate.
X509CertificateHolder certHolder = certGen.build(signer);
X509Certificate cert = new JcaX509CertificateConverter().setProvider("BC").getCertificate(certHolder);
return cert;
}
/**
* Generate a sample V3 certificate to use as an end entity certificate
*/
public static X509Certificate generateEndEntityCert(PublicKey entityKey, PrivateKey caKey, X509Certificate caCert) throws Exception {
ASN1Sequence seq = null;
seq = (ASN1Sequence) new ASN1InputStream(entityKey.getEncoded()).readObject();
SubjectPublicKeyInfo parentPubKeyInfo = new SubjectPublicKeyInfo(seq);
// Define the validity period. The certificate may expire before the
// end date but not after.
Date startDate = new Date(System.currentTimeMillis());
Date endDate = new Date(System.currentTimeMillis() + VALIDITY_PERIOD);
ContentSigner signer = null;
signer = new JcaContentSignerBuilder(X509_CERTIFICATE_SIGNATURE_ALGORITHM).build(caKey);
// Create unique serial number for the certificate (need to check if it
// it's actually unique)
BigInteger serialNum = BigInteger.valueOf(new SecureRandom().nextLong());
X509v3CertificateBuilder certGen = null;
certGen = new JcaX509v3CertificateBuilder(
caCert,
serialNum,
startDate,
endDate,
new X500Principal("CN=End Certificate"),
entityKey)
.addExtension(
new ASN1ObjectIdentifier("2.5.29.35"),
false,
new AuthorityKeyIdentifier(parentPubKeyInfo))
.addExtension(
new ASN1ObjectIdentifier("2.5.29.19"),
false,
new BasicConstraints(false)) // true if it is allowed to sign other certs
.addExtension(
new ASN1ObjectIdentifier("2.5.29.15"),
true,
new X509KeyUsage(
X509KeyUsage.digitalSignature |
X509KeyUsage.nonRepudiation |
X509KeyUsage.keyEncipherment |
X509KeyUsage.keyCertSign |
X509KeyUsage.cRLSign |
X509KeyUsage.dataEncipherment));
// Build/sign the certificate.
X509CertificateHolder certHolder = certGen.build(signer);
X509Certificate cert = new JcaX509CertificateConverter().setProvider("BC").getCertificate(certHolder);
return cert;
}
/**
* Generate a X500PrivateCredential for the root entity.
*/
public static X500PrivateCredential createRootCredential() throws Exception {
KeyPair rootPair = null;
rootPair = generateRSAKeyPair();
X509Certificate rootCert = generateRootCert(rootPair);
return new X500PrivateCredential(rootCert, rootPair.getPrivate(), ROOT_ALIAS);
}
/**
* Generate a X500PrivateCredential for the intermediate entity.
*/
public static X500PrivateCredential createIntermediateCredential(
PrivateKey caKey,
X509Certificate caCert) throws Exception {
KeyPair interPair = null;
interPair = generateRSAKeyPair();
X509Certificate interCert = generateIntermediateCert(interPair.getPublic(), caKey, caCert);
return new X500PrivateCredential(interCert, interPair.getPrivate(), INTERMEDIATE_ALIAS);
}
/**
* Generate a X500PrivateCredential for the end entity.
*/
public static X500PrivateCredential createEndEntityCredential(
PrivateKey caKey,
X509Certificate caCert) throws Exception {
KeyPair endPair = null;
endPair = generateRSAKeyPair();
X509Certificate endCert = generateEndEntityCert(endPair.getPublic(), caKey, caCert);
return new X500PrivateCredential(endCert, endPair.getPrivate(), END_ENTITY_ALIAS);
}
public static void main(String[] args) throws Exception {
// Retrieve root, intermediate and end entity credentials
X500PrivateCredential rootCredential = createRootCredential();
X500PrivateCredential interCredential = createIntermediateCredential(rootCredential.getPrivateKey(), rootCredential.getCertificate());
X500PrivateCredential endCredential = createEndEntityCredential(interCredential.getPrivateKey(), interCredential.getCertificate());
// client credentials
KeyStore keyStore = null;
keyStore = KeyStore.getInstance("PKCS12", "BC");
keyStore.load(null, null);
keyStore.setKeyEntry("client", endCredential.getPrivateKey(), "clientPassword".toCharArray(),
new Certificate[]{endCredential.getCertificate(), interCredential.getCertificate(), rootCredential.getCertificate()});
keyStore.store(new FileOutputStream("client.p12"), "clientPassword".toCharArray());
// trust store for client
keyStore = KeyStore.getInstance("JKS");
keyStore.load(null, null);
keyStore.setCertificateEntry("trust", rootCredential.getCertificate());
keyStore.store(new FileOutputStream("trust.jks"), "trustPassword".toCharArray());
// server credentials
keyStore = KeyStore.getInstance("JKS");
keyStore.load(null, null);
keyStore.setKeyEntry("server", rootCredential.getPrivateKey(), "serverPassword".toCharArray(),
new Certificate[]{rootCredential.getCertificate()});
keyStore.store(new FileOutputStream("server.jks"), "serverPassword".toCharArray());
}
}
The certificates are generated (they are present in memory and all fields appear to be valid) and written to the key store client.p12.
However, when viewing the contents of the file only a single entry is present (there is no intermediate or end certificate):
$ keytool -list -keystore client.p12 -storepass clientPassword -storetype PKCS12
Keystore type: PKCS12
Keystore provider: SunJSSE
Your keystore contains 1 entry
client, Nov 8, 2015, PrivateKeyEntry,
Certificate fingerprint (SHA1): B9:0D:E9:99:64:9F:49:66:3A:F6:3F:19:A7:94:59:F9:38:B8:5B:29
Reading this and this question it appears that certificate ordering is important (end certificate -> intermediate certificate -> root certificate in my case) as well as the issuer of the certificate.
But is this the case in the code above?
Edit:
Adding the -v parameter while listing the client key store gives the following output:
$ keytool -list -keystore client.p12 -storepass clientPassword -v -storetype PKCS12
Keystore type: PKCS12
Keystore provider: SunJSSE
Your keystore contains 1 entry
Alias name: client
Creation date: Nov 8, 2015
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=End Certificate
Issuer: CN=Intermediate Certificate
Serial number: -a5e7a9573956899
Valid from: Sun Nov 08 19:07:07 EET 2015 until: Sun Nov 15 19:07:07 EET 2015
Certificate fingerprints:
MD5: 36:2A:E5:33:EC:41:A3:74:6D:38:4E:8E:71:30:E1:42
SHA1: 6E:D6:D8:E6:9A:A7:41:68:0B:F9:86:E9:B5:2A:E2:A3:D6:08:D8:78
SHA256: 01:1A:93:42:5C:AF:B2:03:EA:3C:AD:B9:9C:DA:AF:27:68:E0:0D:B4:7C:3C:34:56:9A:68:2C:B8:01:C6:89:79
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: D4 44 E3 F2 A9 87 0A 86 D6 19 4D B2 BF 25 C8 DB .D........M..%..
0010: 8A 15 96 86 ....
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
#3: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Non_repudiation
Key_Encipherment
Data_Encipherment
Key_CertSign
Crl_Sign
]
*******************************************
*******************************************
Edit #1:
I have created the keystore using:
keyStore = KeyStore.getInstance("PKCS12");
and got the following output:
$ keytool -list -keystore client.p12 -storepass clientPassword -v -storetype PKCS12
Keystore type: PKCS12
Keystore provider: SunJSSE
Your keystore contains 1 entry
Alias name: client
Creation date: Nov 9, 2015
Entry type: PrivateKeyEntry
Certificate chain length: 3
Certificate[1]:
Owner: CN=End Certificate
Issuer: CN=Intermediate Certificate
Serial number: 40f960450ce16070
Valid from: Mon Nov 09 12:08:34 EET 2015 until: Mon Nov 16 12:08:34 EET 2015
Certificate fingerprints:
MD5: 2C:1F:97:91:B9:33:D3:F4:4F:89:AA:13:43:53:F5:8A
SHA1: 41:83:C7:57:CE:B8:BC:DC:AC:E1:58:20:27:9E:05:CC:F2:F0:37:6C
SHA256: 58:57:EA:83:F7:66:45:80:EF:0E:39:8D:60:9C:C4:C8:CF:7A:74:06:07:DE:37:E0:DF:5F:0C:5C:D6:D3:0D:AC
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 1E 5E A8 36 64 31 32 5B 83 9F CF 9F F3 5F F0 17 .^.6d12[....._..
0010: EF 83 12 E5 ....
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
#3: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Non_repudiation
Key_Encipherment
Data_Encipherment
Key_CertSign
Crl_Sign
]
Certificate[2]:
Owner: CN=Intermediate Certificate
Issuer: CN=Root
Serial number: 6d5f5d9bb7b110df
Valid from: Mon Nov 09 12:08:34 EET 2015 until: Mon Nov 16 12:08:34 EET 2015
Certificate fingerprints:
MD5: 0A:F1:DD:AC:15:3C:90:8F:A5:BA:72:B9:40:FB:1E:D2
SHA1: 78:DD:64:37:8F:94:F4:A1:F1:5E:80:70:89:18:0A:F4:6B:07:F8:3C
SHA256: DF:04:BB:DD:72:85:E0:CB:83:C6:73:E0:7D:F5:F3:E9:54:4E:D1:32:8C:74:A2:31:AE:BF:7A:FD:FE:29:D3:7D
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 39 C5 42 A1 3D 0F B9 5F C7 EA 32 9C 18 03 63 3D 9.B.=.._..2...c=
0010: 65 0F 30 22 e.0"
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
#3: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Non_repudiation
Key_Encipherment
Data_Encipherment
]
Certificate[3]:
Owner: CN=Root
Issuer: CN=Root
Serial number: 2c8b7a0f9a68a4d1
Valid from: Mon Nov 09 12:08:34 EET 2015 until: Mon Nov 16 12:08:34 EET 2015
Certificate fingerprints:
MD5: 37:29:09:F2:E5:98:E1:EC:86:35:4E:A5:7F:54:06:70
SHA1: 59:97:7E:3B:7B:5B:C5:A4:CA:17:92:24:60:EF:CE:4E:34:9D:4D:4A
SHA256: B1:7B:20:EA:09:8E:72:3A:BC:59:54:9C:7B:78:0C:D7:45:D0:3C:90:AB:81:69:78:75:3E:B9:D1:CA:01:6B:D9
Signature algorithm name: SHA256withRSA
Version: 1
*******************************************
*******************************************
The certificates are being written but the issuer and subject fields are not valid.
Edit #2:
I have created a git repository:
git clone https://github.com/Sebi1313/TestX509Certificates.git
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 老娘就宠你 的文章《Java keyStore does not properly store X509 certifi》','https://www.manongdao.com/article-853301.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}