证书制作

使用bouncycastle库来制作证书(包括一个自签名证书和为他人签发证书)。

<dependency>
	<groupId>org.bouncycastle</groupId>
	<artifactId>bcpkix-jdk15on</artifactId>
	<version>1.54</version>
</dependency>

 

import java.io.ByteArrayInputStream;
import java.io.FileOutputStream;
import java.io.OutputStream;
import java.math.BigInteger;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.Enumeration;

import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;

public class CertMakeDemo {

	public static void main(String[] args) throws Exception {
		X500Name subject = new X500Name("CN=root, O=root, OU=root");
		KeyPairGenerator gen = KeyPairGenerator.getInstance("RSA");
		gen.initialize(1024);
		KeyPair pair = gen.generateKeyPair();
		X509Certificate certificate = signerSelf(subject, pair);
		System.out.println("证书：" + certificate);

		KeyStore pkcs12 = KeyStore.getInstance("PKCS12");
		pkcs12.load(null, null);
		pkcs12.setKeyEntry("root", pair.getPrivate(), "123456".toCharArray(), new Certificate[] { certificate });
		for (Enumeration<String> e = pkcs12.aliases(); e.hasMoreElements();) {
			String alias = e.nextElement();
			System.out.println(pkcs12.getCertificateChain(alias));
			System.out.println(pkcs12.getKey(alias, "123456".toCharArray()));
		}
		OutputStream out = new FileOutputStream("f:/temp/root.pfx");
		pkcs12.store(out, "123456".toCharArray());
		out.close();

		//root为张三签发证书
		X500Name zsSubject = new X500Name("CN=张三, O=张三, OU=张三");
		gen = KeyPairGenerator.getInstance("RSA");
		gen.initialize(1024);
		KeyPair zsKeypair = gen.generateKeyPair();
		X509Certificate zsCertificate = signer(zsSubject, zsKeypair.getPublic(), certificate, pair.getPrivate());
		System.out.println("张三证书：" + zsCertificate);
		out = new FileOutputStream("f:/temp/zhangsan.cer");
		out.write(zsCertificate.getEncoded());
		out.close();
	}

	public static X509Certificate signer(X500Name subject, PublicKey subjectPublicKey,// 
		X509Certificate issuerCert, PrivateKey issuerPrivateKey) throws Exception {

		X500Name issuer = X500Name.getInstance(issuerCert.getSubjectX500Principal().getEncoded());
		String signatureAlgorithm = issuerCert.getSigAlgName();
		return signer(subject, subjectPublicKey, issuer, issuerPrivateKey, signatureAlgorithm);
	}

	public static X509Certificate signerSelf(X500Name subject, KeyPair pair) throws Exception {
		String signatureAlgorithm = "SHA1With" + pair.getPrivate().getAlgorithm();
		return signer(subject, pair.getPublic(), subject, pair.getPrivate(), signatureAlgorithm);
	}

	public static X509Certificate signer(X500Name subject, PublicKey subjectPublicKey,//
		X500Name issuer, PrivateKey issuerPrivateKey, String signatureAlgorithm) throws Exception {

		BigInteger sn = new BigInteger(new SimpleDateFormat("yyyyMMdd").format(new Date()));
		Date notBefore = new Date();
		Date notAfter = new Date(notBefore.getTime() + 365L * 24 * 60 * 60 * 1000);
		SubjectPublicKeyInfo publicKeyInfo = SubjectPublicKeyInfo.getInstance(subjectPublicKey.getEncoded());
		ContentSigner signer = new JcaContentSignerBuilder(signatureAlgorithm).build(issuerPrivateKey);

		X509v3CertificateBuilder builder = new X509v3CertificateBuilder(//
			issuer, sn, notBefore, notAfter, subject, publicKeyInfo);
		byte[] certBytes = builder.build(signer).getEncoded();

		X509Certificate certificate = (X509Certificate) CertificateFactory.getInstance("X509")//
			.generateCertificate(new ByteArrayInputStream(certBytes));

		return certificate;
	}
}