使用另一个自签名x509证书[充当CA]签署X509证书

时间:2015-04-20 18:02:54

标签: java security certificate x509certificate digital-certificate

我创建了一个自签名证书并成功编码。但我想用另一个自签名证书签署此证书,该证书将作为证书颁发机构。

代码如下:

X509Certificate caCert;
KeyStore keyStore = KeyStore.getInstance("PKCS12");
keyStore.load(null, null);
CertAndKeyGen keypair = new CertAndKeyGen("RSA", "SHA1WithRSA", null);
X500Name x500Name = new X500Name(commonName, organizationalUnit, organization, city, state, country);
keypair.generate(keysize);
PrivateKey privKey = keypair.getPrivateKey();

X509Certificate[] chain = new X509Certificate[1];

chain[0] = keypair.getSelfCertificate(x500Name, new Date(), (long) validity * 24 * 60 * 60);
keypair.getCertRequest(x500Name);

keyStore.setKeyEntry(alias, privKey, keyPass, chain);

keyStore.store(new FileOutputStream("test.keystore"), keyPass);
caCert = (X509Certificate) keyStore.getCertificate(alias);
File crtFile = new File("saif.der");
writeCertificate(new FileOutputStream(crtFile), caCert);

1 个答案:

答案 0 :(得分:0)

使用bouncycastle的X509V3CertificateGenerator类创建用户证书。然后最后使用X509V3CertificateGenerator.generateX509Certificate(privateKey)方法生成X509Certificate。这里privateKey将是来自PKCS12的自签名证书的私钥。以PKCS12格式保存用户证书。