How to generate multi-domain (UCC) certificate in Java?

Question

Currently I'm using the BouncyCastle library to generate a certificate. Something like this:

X509V3CertificateGenerator certGenerator = new X509V3CertificateGenerator();
certGenerator.setIssuerDN( rootCertificate.getSubjectX500Principal() );
certGenerator.setSignatureAlgorithm( "SHA1withRSA" );
certGenerator.setSerialNumber( serial );
certGenerator.setNotBefore( notBefore );
certGenerator.setNotAfter( notAfter );
certGenerator.setPublicKey( rootCertificate.getPublicKey() );

Hashtable<DERObjectIdentifier, String> attrs = new Hashtable<DERObjectIdentifier, String>();
Vector<DERObjectIdentifier> order = new Vector<DERObjectIdentifier>();

attrs.put( X509Principal.C, "RU" );
// other attrs.put() calls here

order.addElement( X509Principal.C );
// other order.addElement() calls here

certGenerator.setSubjectDN( new X509Principal( order, attrs ) );
certGenerator.addExtension( X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure( rootCertificate ) );
certGenerator.addExtension( X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure( newKeyPair.getPublic() ) );

return certGenerator.generate( rootPrivateKey, "BC" );

Can I add the SubjectAltNames field to the generated certificate?

It's fine to answer your own questions, but you should probably do so as an explicit answer (so that it's more visible and can be voted on). — Joachim Sauer, Aug 02 '11 at 12:19
@JoachimSauer: I tried to do that, but the system said I should have rep >= 100 or wait for 8 hours. So I decided that better this than nothing :) — vadipp, Aug 02 '11 at 12:34
Oh yeah, I see. There is some restriction. I hope you don't mind if I take your answer and post it below (as community wiki, so I won't get any rep for it). — Joachim Sauer, Aug 02 '11 at 12:37

score 5 · Accepted Answer · answered Aug 02 '11 at 12:37

To accomplish the task, insert the following just before the certGenerator.generate() call:

ASN1EncodableVector alternativeNames = new ASN1EncodableVector();
for( String domainName : domainNames )
{
  alternativeNames.add( new GeneralName( GeneralName.dNSName, domainName ) );
}
certGenerator.addExtension( X509Extensions.SubjectAlternativeName, false, new GeneralNames( new DERSequence( alternativeNames ) ) );

(Answer provided by Double-V).

How to generate multi-domain (UCC) certificate in Java?

1 Answers1