4

I need to create a X509 certificate with Bouncy Castle that serves as CA certificate. The certificate will be added manually to the trusted CA list of web browsers. It will be used to sign server certificates.

How do I do this? Apart from the usual certificate attributes there are some additional things that must be included (critical attribute saying this is CA, ...).

It should work at least in the most important browsers (of course only in those that allow a configuration of root CAs).

Gustave
  • 3,359
  • 4
  • 31
  • 64
  • The answer on that question seems to be a good start: http://stackoverflow.com/questions/12679533/how-do-i-use-bouncycastle-to-generate-a-root-certificate-and-then-a-site-certifi (But it probably won't work as it is because of the DSA keys.) – Gustave Jul 24 '15 at 19:47
  • Basic Constraints: http://www.alvestrand.no/objectid/2.5.29.19.html , certificate extensions: https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.0/html/Admin_Guide/Standard_X.509_v3_Certificate_Extensions.html – Gustave Jul 24 '15 at 20:10
  • All About Certificate Extensions: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/nss_tech_notes/nss_tech_note3 – Gustave Jul 24 '15 at 20:22

1 Answers1

4

I did this:

KeyPairGenerator rsa = KeyPairGenerator.getInstance("RSA");
rsa.initialize(4096);
KeyPair kp = rsa.generateKeyPair();

Calendar cal = Calendar.getInstance();
cal.add(Calendar.YEAR, 1);

byte[] pk = kp.getPublic().getEncoded();
SubjectPublicKeyInfo bcPk = SubjectPublicKeyInfo.getInstance(pk);

X509v1CertificateBuilder certGen = new X509v1CertificateBuilder(
        new X500Name("CN=CA Cert"),
        BigInteger.ONE,
        new Date(),
        cal.getTime(),
        new X500Name("CN=CA Cert"),
        bcPk
);

X509CertificateHolder certHolder = certGen
        .build(new JcaContentSignerBuilder("SHA1withRSA").build(kp.getPrivate()));

BASE64Encoder encoder = new BASE64Encoder();

System.out.println("CA CERT");
System.out.println(X509Factory.BEGIN_CERT);
encoder.encodeBuffer(certHolder.getEncoded(), System.out);
System.out.println(X509Factory.END_CERT);

System.exit(0);
anger
  • 1,018
  • 1
  • 9
  • 25