Generate certificate from cert file in Java

  Pi Ke        2015-06-08 06:47:05       23,763        2    

A certificate is often used to prove the identity of a server. The certificate will contain information such as the subject and issuer of the certificate. It will also contain the validation date of the certificate. A certificate is often exported to an external cert file which is transferred over the internet. We will often see its use in SSL communication which provides secure communication between two entities.

In this post, we will show how to read the data from an external certificate file and generate a X509 certificate object with the data. This object can then be used to conduct other operation such as storing it into other keystores.

There are two types of certificate encodings:

  • .DER = The DER extension is used for binary DER encoded certificates. These files may also bear the CER or the CRT extension.   Proper English usage would be “I have a DER encoded certificate” not “I have a DER certificate”.
  • .PEM = The PEM extension is used for different types of X.509v3 files which contain ASCII (Base64) armored data prefixed with a “—– BEGIN …” line.

in Java, we can read a certificate file and generate certificate using CertificateFactory.

try{
	CertificateFactory cf = CertificateFactory.getInstance("X.509");
	Certificate cert = cf.generateCertificate(new FileInputStream("ca.cert"));
	System.out.println(cert);
}catch(Exception ex){
	ex.printStackTrace();
}

The output may look like :

[
[
  Version: V3
  Subject: CN=CA
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  modulus: 28015891710605352506002662146409142433492142187151584887925047205146078947940391389965865808576725643815131249486267252759332002553992698694568297107048246915652501803858966148915970078059270226185250393130730554024665054998535862190432390443786153117598493266828011584547227968609313271445678818240488861067854938042365744721229236789448570394761961620987991340690110048148067889581746974498943743860510112173058801682609667916937379451627078420501544982391418217358066298198667559922847160674985880600134914360939391471784181286984509191059676561420834772193902060126140911992870293212919904884739549116401238001377
  public exponent: 65537
  Validity: [From: Mon Jun 08 19:40:44 SGT 2015,
               To: Sun Sep 06 19:40:44 SGT 2015]
  Issuer: CN=CA
  SerialNumber: [    24b991d3]

Certificate Extensions: 2
[1]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

[2]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: E6 01 F8 F2 4D DB 3D E1   F2 17 70 89 27 25 09 DA  ....M.=...p.'%..
0010: CC 28 90 0E                                        .(..
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 9F 37 F9 83 1E F3 35 DA   CF AB 2A 47 B7 63 32 6C  .7....5...*G.c2l
0010: 74 65 49 B6 6A D1 2C D3   B5 C6 EF 47 1D 35 A0 2A  teI.j.,....G.5.*
0020: 5B C4 13 14 5A 89 2F 4C   F2 49 3D 2F 2C E3 49 0C  [...Z./L.I=/,.I.
0030: 1A 9A F8 97 3D 35 BF A7   F3 09 C3 F6 99 75 3D 82  ....=5.......u=.
0040: A7 4A 78 7C C4 CA A3 80   04 89 39 10 55 EC 8A 3E  .Jx.......9.U..>
0050: AD 3A E6 5D A2 D8 C6 82   8C AB 06 55 FE 30 AC F7  .:.].......U.0..
0060: 97 17 F8 32 2F 35 AC C9   03 D0 2B 2D B7 CB B4 38  ...2/5....+-...8
0070: B7 86 B7 71 B5 84 C3 61   BB DF 03 F7 ED DD F5 A5  ...q...a........
0080: 76 71 74 BB B1 9A 3F DB   66 B0 42 DF A6 2D 71 20  vqt...?.f.B..-q 
0090: CE CB 83 ED AD D0 53 8A   10 89 42 96 17 E2 9A 97  ......S...B.....
00A0: 27 6F 5B A5 29 54 1F 6B   19 87 7A 77 2C 6A FA AF  'o[.)T.k..zw,j..
00B0: 03 28 AC E6 1D 64 E2 17   48 9A DA 60 98 B9 B2 A1  .(...d..H..`....
00C0: BC 6F 33 D9 11 2C B8 D2   94 66 8F 90 88 C4 12 9D  .o3..,...f......
00D0: DD 7C DA DA 25 F6 F9 28   9D EA A4 BB F7 C0 FE 50  ....%..(.......P
00E0: A1 84 3A C9 25 A8 B5 59   7B 81 A6 89 D6 0E C9 6D  ..:.%..Y.......m
00F0: 6B D2 8E 9E B2 81 40 FD   47 7F 20 E8 D0 B9 5D 71  k.....@.G. ...]q

]

After this, you can store the certificate into an external KeyStore file such as PKCS12. For details on how to store the certificate into a keystore such as PKCS12, please read Different types of keystore in Java -- PKCS12.

PKCS12  CERTIFICATEFACTORY  EXAMPLE  JAVA  X509 

       

  RELATED


  2 COMMENTS


Ashwin [Reply]@ 2019-07-21 04:03:16

How do i create .der file format of RSA private key?

Ke Pi [Reply]@ 2019-07-21 10:57:55

You can do something like below

KeyPairGenerator gen = KeyPairGenerator.getInstance("RSA");
KeyPair pair = gen.generateKeyPair();
FileOutputStream ospvt = new FileOutputStream("pvt.der");
try {
  ospvt.write(pair.getPrivate().getEncoded());
  ospvt.flush();
} finally {
  ospvt.close();
}


  RANDOM FUN

Learning Gin while drinking Gin