创建具有根ca父级的x509证书

kgsdhlau  于 2021-07-09  发布在  Java
关注(0)|答案(1)|浏览(406)

我有一个根ca证书,它必须对我正在创建的证书进行签名。

public static X509Certificate generateCertificate(final PublicKey publicKey, 
final PrivateKey privateKey,
                                                  final String signingAlgorithm, GeneralNames names)
    throws IOException, CertificateException, OperatorCreationException, NoSuchAlgorithmException
{
    final X500NameBuilder subject = new X500NameBuilder(RFC4519Style.INSTANCE);

    subject.addRDN(BCStyle.C, COUNTRY_NAME);
    subject.addRDN(BCStyle.ST, STATE_NAME);
    subject.addRDN(BCStyle.L, LOCALITY_NAME);
    subject.addRDN(BCStyle.O, ORGANIZATION_NAME);
    subject.addRDN(BCStyle.OU, ORGANIZATION_UNIT_NAME);
    subject.addRDN(BCStyle.E, EMAIL_ADDRESS);

    final X500NameBuilder issuer = new X500NameBuilder(RFC4519Style.INSTANCE);

    issuer.addRDN(BCStyle.C, COUNTRY_NAME);
    issuer.addRDN(BCStyle.ST, STATE_NAME);
    issuer.addRDN(BCStyle.L, LOCALITY_NAME);
    issuer.addRDN(BCStyle.O, ORGANIZATION_NAME);
    issuer.addRDN(BCStyle.OU, ISSUER);

    final BigInteger sn = new BigInteger(SERIAL_NUMBER_LENGTH, new SecureRandom());
    final Date validFrom = Calendar.getInstance().getTime();
    final Calendar c = Calendar.getInstance();
    c.add(Calendar.YEAR, YEARS_VALID);
    final Date validUntil = c.getTime();

    File file = new File("PATH TO ROOT CA");
    CertificateFactory fact = CertificateFactory.getInstance("X.509");
    FileInputStream in = new FileInputStream(file);
    X509Certificate cer = (X509Certificate) fact.generateCertificate(in);

    final JcaContentSignerBuilder builder = new JcaContentSignerBuilder(signingAlgorithm);
    ContentSigner signer = builder.build(privateKey);

    final X509v3CertificateBuilder certBuilder=new  JcaX509v3CertificateBuilder(cer, sn, validFrom, validUntil, subject.build(), publicKey);
    BasicConstraints constr = new BasicConstraints(false);
      KeyUsage usage = new KeyUsage(KeyUsage.digitalSignature | KeyUsage.nonRepudiation | KeyUsage.keyEncipherment);
    certBuilder.addExtension(Extension.keyUsage, false, usage);
    certBuilder.addExtension(Extension.subjectAlternativeName, false, names);
    certBuilder.addExtension(Extension.basicConstraints, false, constr);
   // certBuilder.addExtension(Extension.authorityKeyIdentifier, false,utiles.createAuthorityKeyIdentifier(cer));
     certBuilder.addExtension(Extension.subjectKeyIdentifier, false,
                         new SubjectKeyIdentifier(publicKey.getEncoded()));

   final byte[] certBytes = certBuilder.build(signer).getEncoded();
    final CertificateFactory certificateFactory = CertificateFactory.getInstance(CERTIFICATE_TYPE);
    return (X509Certificate) certificateFactory.generateCertificate(new ByteArrayInputStream(certBytes));

}

我试过很多方法,但找不到确切的解决办法。另外,我不明白我必须在主题密钥标识符扩展上设置什么。

acruukt9

acruukt91#

似乎您没有正确执行x.509证书生成过程:
您生成一个证书签名请求(csr),它基本上是您的证书的结构,尚未由ca签名;
证书颁发机构(在本例中是您的根ca)对此csr进行签名。
看一看标志csr使用弹跳城堡,这可能是你要找的。

相关问题