How to issue digital certificates with Java code

Source: Internet
Author: User

Issuing digital certificates in Java

Open cmd

1. Enter D:

2. Enter CD keys

3. Enter a command to view a list of certificates created by the KeyStore

Keytool-list-v-keystore Mykey.keystore-storepass 123456

4. Before exporting the Server.cer file, install this file to the operating system, process default.

5. Create a key pair, as before, enter the following command:

--Create a key pair

Keytool-genkey-dname "Cn=tmp, Ou=nc, O=shanghai University, L=zb, ST=SHANGHAI,C=CN"-alias client-keyalg Rsa-keystore Myclientkey.store-keypass 654321-storepass 654321-validity 1000

--Export public key

Keytool-export-trustcacerts-alias client-file Client.cer-keystore Myclientkey.store-storepass 654321

Double-click Client.cer to see:



The certificate is not trusted by the system, and the issuer and the issued to are TMP

5. Issue the certificate, which is used by the Java program to issue. Can be issued with OpenSSL or issued to a formal CA institution.

Because the Server.cer is installed on the client computer, the client operating system trusts the certificate issued by the institution in Server.cer.

This is where you use the server.cer to issue client.cer.

Issue code:

Package com.syspro.test;

Import java.io.*;

Import java.security.*;

Import java.security.cert.*;

Import java.util.*;

Import java.math.*;

Import sun.security.x509.*;

public class Signcert {

Private String Mkeystore = "D:/keys/mykey.keystore"; Lock Library Path

Private char[] Mkeystorepass = "123456". ToCharArray ();//Lock Library password

Private char[] Msignprivatekeypass = "123456". ToCharArray ();//The password required to obtain the issuer's private lock

Private String Msigncertalias = "keytest";//Issuer Alias

Private String Msignedcert = "D:/keys/client.cer"; Certificate of being signed

Private String Mnewcert = "D:/keys/clientsignkey.cer"; Full name of new certificate after issue

private int mvalidityday = 3000; New certificate validity period after issue (days)

Private Privatekey Msignprivatekey = private lock of null;//issuer

Private X509certinfo Msigncertinfo = null;//Issue certificate information

Private X509certinfo msignedcertinfo = null;//Visa book Information

public void sign () throws exception{

try {

/**

* Certificate Signature

*/

Getsigncertinfo (); Get the signing certificate information

Signcertificate (); To sign a certificate for signing with signing certificate information

Createnewcertificate (); Create and save a new certificate after signing

} catch (Exception e) {

System.out.println ("Error:" + e.getmessage ());

}

}

/**

* Obtain Signature certificate information

* @throws Exception

*/

private void Getsigncertinfo () throws Exception

{

FileInputStream Vfin=null;

KeyStore Vkeystore=null;

Java.security.cert.Certificate Vcert=null;

X509certimpl Vcertimpl=null;

Byte[] Vcertdata=null;

Get the signing Certificate lock library

Vfin=new FileInputStream (Mkeystore);

Vkeystore=keystore.getinstance ("JKS");

Vkeystore.load (Vfin,mkeystorepass);

Get the signing certificate

vcert= vkeystore.getcertificate (Msigncertalias);

Vcertdata=vcert.getencoded ();

Vcertimpl=new X509certimpl (Vcertdata);

Get the signing certificate information

msigncertinfo= (X509certinfo) vcertimpl.get (x509certimpl.name+ ".") +x509certimpl.info);

msignprivatekey= (Privatekey) Vkeystore.getkey (Msigncertalias,msignprivatekeypass);

Vfin.close ();

}

/**

* Obtain the information for the visa and sign the certificate pending

*

* @throws Exception

*/

private void Signcertificate () throws Exception {

FileInputStream vfin = null;

Java.security.cert.Certificate vcert = null;

Certificatefactory vcertfactory = null;

byte[] Vcertdata = null;

X509certimpl Vcertimpl = null;

Get the certificate to be signed

Vfin = new FileInputStream (Msignedcert);

Vcertfactory = Certificatefactory.getinstance ("the");

Vcert = Vcertfactory.generatecertificate (Vfin);

Vfin.close ();

Vcertdata = vcert.getencoded ();

Set up signing certificate information: valid date, serial number, signer, digital signature calculation

Vcertimpl = new X509certimpl (vcertdata);

Msignedcertinfo = (x509certinfo) vcertimpl.get (X509certimpl.name + ".")

+ X509certimpl.info);

Msignedcertinfo.set (X509certinfo.validity, getcertvalidity ());

Msignedcertinfo.set (X509certinfo.serial_number, Getcertserualnumber ());

Msignedcertinfo.set (X509certinfo.issuer + ".")

+ Certificateissuername.dn_name,

Msigncertinfo.get (X509certinfo.subject + ".")

+ certificateissuername.dn_name));

Msignedcertinfo.set (Certificatealgorithmid.name + ".")

+ Certificatealgorithmid.algorithm, Getalgorithm ());

}

/**

* After the visa is signed, save the new certificate

*

* @throws Exception

*/

private void Createnewcertificate () throws Exception {

FileOutputStream vOut = null;

X509certimpl Vcertimpl = null;

Use new certificate information to seal the new certificate

Vcertimpl = new X509certimpl (msignedcertinfo);

Generate Xinzheng Book Verification code

Vcertimpl.sign (Msignprivatekey, "Md5withrsa");

VOut = new FileOutputStream (Mnewcert);

Save As DER encoded binary-zero-format certificate

Vcertimpl.derencode (VOut);

Vout.close ();

}

Auxiliary method ===========================================================================

/**

* Get new Certificate Effective Date

*

* @throws Exception

* @return Certificatevalidity

*/

Private Certificatevalidity getcertvalidity () throws Exception {

Long vvalidity = (* * 1000L) * mvalidityday;

Calendar vCal = null;

Date vbegindate = null, venddate = NULL;

VCal = Calendar.getinstance ();

Vbegindate = Vcal.gettime ();

Venddate = Vcal.gettime ();

Venddate.settime (Vbegindate.gettime () + vvalidity);

return new Certificatevalidity (Vbegindate, venddate);

}

/**

* Get the serial number of the new certificate

*

* @return Certificateserialnumber

*/

Private Certificateserialnumber Getcertserualnumber () {

Calendar vCal = null;

VCal = Calendar.getinstance ();

int vserialnum = 0;

Vserialnum = (int) (Vcal.gettimeinmillis ()/1000);

return new Certificateserialnumber (Vserialnum);

}

/**

* Get the new certificate signature algorithm

*

* @return Algorithmid

*/

Private Algorithmid Getalgorithm () {

Algorithmid valgorithm = new Algorithmid (

Algorithmid.md5withrsaencryption_oid);

return valgorithm;

}

public static void Main (String args[]) throws Unsupportedencodingexception

{

Signcert s = new Signcert ();

try {

S.sign ();

} catch (Exception e) {

E.printstacktrace ();

}

}

}

Open the new certificate Clientsignkey.cer after the signature is complete, such as:



You will see that the operating system trusts the certificate and the issuer becomes localhost in server.cer

The signed digital certificate Clientsignkey.cer and the CA certificate server.cer are then imported into the Myclientkey.store library with the following command: note the sequencing

First pour the CA certificate

Keytool-import-alias Ca-keystore D:\keys\myclientkey.store-trustcacerts-file D:\keys\server.cer-storepass 654321

Note that-alias is not the same as before.

Re-import the signed certificate:

Keytool-import-alias Client-keystore D:\keys\myclientkey.store-trustcacerts-file D:\keys\

Clientsignkey.cer-storepass 654321

Note that the-alias is the same as before.

Modify Tomcat server After you finish the operation


. xml file, as follows:

<connector protocol= "Org.apache.coyote.http11.Http11NioProtocol"

Port= "8443" enablelookups= "true"

Disableuploadtimeout= "true" acceptcount= "100"

maxthreads= "Scheme=" "https" secure= "true"

Sslenabled= "true" sslprotocol= "TLS"

Clientauth= "false"

Keystorefile= "D:\keys\myclientkey.store"

keystorepass= "654321"/>

Then start tomcat and you'll notice no more prompts.


How to issue digital certificates with Java code

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.