我使用bouncycastle(下面的代码)生成了pkcs12格式的自签名证书和私钥。它工作正常(我可以在操作系统或openssl中查看),除了一个非常重要的事情 - 我可以无处导入它。 Thunderbird,Chromium,Evolution都会出错 - 因未知原因而失败。我在几个操作系统上检查过它 - 都是一样的。但是这里有一些技巧 - 如果我将我的pkcs12(A)转换为pem并且使用openssl(openssl pkcs12 -in client.p12 -out client.pem)将此转换为pkcs12(B)之后 - 它会改变大小并且我可以导入它。我的代码出了什么问题?
SecureRandom random = SecureRandom.getInstance("SHA1PRNG");
Security.addProvider(new BouncyCastleProvider());
KeyPairGenerator kpGen = KeyPairGenerator.getInstance("RSA", "BC");
kpGen.initialize(1024, random);
KeyPair keyPair = kpGen.generateKeyPair();
PublicKey RSAPubKey = keyPair.getPublic();
PrivateKey RSAPrivateKey = keyPair.getPrivate();
X500Name subjectDN = new X500Name("C=BY,O=Self-Signed,CN =" + domain);
SubjectPublicKeyInfo pubKeyInfo = SubjectPublicKeyInfo.getInstance(ASN1Sequence.getInstance(RSAPubKey.getEncoded()));
X509v3CertificateBuilder v3CertBuild;
v3CertBuild = new X509v3CertificateBuilder(subjectDN,
BigInteger.valueOf(new SecureRandom().nextInt()),
new Date(System.currentTimeMillis()),
new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 365 * 10)),
subjectDN,
pubKeyInfo);
DigestCalculator digCalc = new BcDigestCalculatorProvider().get(new AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1));
X509ExtensionUtils x509ExtensionUtils = new X509ExtensionUtils(digCalc);
v3CertBuild.addExtension(Extension.authorityKeyIdentifier, false, x509ExtensionUtils.createAuthorityKeyIdentifier(pubKeyInfo));
v3CertBuild.addExtension(Extension.subjectKeyIdentifier, false, x509ExtensionUtils.createSubjectKeyIdentifier(pubKeyInfo));
v3CertBuild.addExtension(MiscObjectIdentifiers.netscapeCertType,
false, new NetscapeCertType(NetscapeCertType.smime));
v3CertBuild.addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment));
ASN1EncodableVector purposes = new ASN1EncodableVector();
purposes.add(KeyPurposeId.id_kp_emailProtection);
v3CertBuild.addExtension(Extension.basicConstraints, true, new BasicConstraints(false));
v3CertBuild.addExtension(Extension.extendedKeyUsage, false, new DERSequence(purposes));
GeneralName[] genNames = new GeneralName[1];
genNames[0] = new GeneralName(GeneralName.rfc822Name, new DERIA5String(domain));
v3CertBuild.addExtension(Extension.subjectAlternativeName, false, new GeneralNames(genNames));
ContentSigner sigGen = new JcaContentSignerBuilder("SHA256withRSA").setProvider("BC").build(RSAPrivateKey);
X509Certificate certificate = new JcaX509CertificateConverter().setProvider("BC").getCertificate(v3CertBuild.build(sigGen));
certificate.verify(RSAPubKey);
certificate.checkValidity(new Date(System.currentTimeMillis()));
PKCS12BagAttributeCarrier bagAttr = (PKCS12BagAttributeCarrier) certificate;
bagAttr.setBagAttribute(
PKCSObjectIdentifiers.pkcs_9_at_friendlyName,
new DERBMPString(domain));
KeyStore kstore = KeyStore.getInstance("PKCS12", "BC");
X509Certificate[] chain = new X509Certificate[1];
chain[0] = certificate;
kstore.load(null, null);
FileOutputStream fOut = new FileOutputStream("Certificates/" + domain + ".p12");
PKCS12BagAttributeCarrier bagAttr1 = (PKCS12BagAttributeCarrier) RSAPrivateKey;
bagAttr1.setBagAttribute(
PKCSObjectIdentifiers.pkcs_9_at_friendlyName,
new DERBMPString(domain));
bagAttr1.setBagAttribute(
PKCSObjectIdentifiers.pkcs_9_at_localKeyId,
new SubjectKeyIdentifier(RSAPubKey.getEncoded()));
kstore.setKeyEntry(domain, RSAPrivateKey, null, chain);
kstore.store(fOut, password.toCharArray());