java 生成证书_在java中生成证书链

问题是如何在

Java中以编程方式生成证书链.换句话说,我想在java中执行这里详述的操作：

http://fusesource.com/docs/broker/5.3/security/i382664.html

通常,我可以为新客户创建RSA密钥：

private KeyPair genRSAKeyPair(){

// Get RSA key factory:

KeyPairGenerator kpg = null;

try {

kpg = KeyPairGenerator.getInstance("RSA");

} catch (NoSuchAlgorithmException e) {

log.error(e.getMessage());

e.printStackTrace();

return null;

}

// Generate RSA public/private key pair:

kpg.initialize(RSA_KEY_LEN);

KeyPair kp = kpg.genKeyPair();

return kp;

}

我生成相​​应的证书：

private X509Certificate generateCertificate(String dn, KeyPair pair, int days, String algorithm)

throws GeneralSecurityException, IOException {

PrivateKey privkey = pair.getPrivate();

X509CertInfo info = new X509CertInfo();

Date from = new Date();

Date to = new Date(from.getTime() + days * 86400000l);

CertificateValidity interval = new CertificateValidity(from, to);

BigInteger sn = new BigInteger(64, new SecureRandom());

X500Name owner = new X500Name(dn);

info.set(X509CertInfo.VALIDITY, interval);

info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(sn));

info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(owner));

info.set(X509CertInfo.ISSUER, new CertificateIssuerName(owner));

info.set(X509CertInfo.KEY, new CertificateX509Key(pair.getPublic()));

info.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));

AlgorithmId algo = new AlgorithmId(AlgorithmId.md5WithRSAEncryption_oid);

info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(algo));

// Sign the cert to identify the algorithm that's used.

X509CertImpl cert = new X509CertImpl(info);

cert.sign(privkey, algorithm);

// Update the algorith, and resign.

algo = (AlgorithmId)cert.get(X509CertImpl.SIG_ALG);

info.set(CertificateAlgorithmId.NAME + "." + CertificateAlgorithmId.ALGORITHM, algo);

cert = new X509CertImpl(info);

cert.sign(privkey, algorithm);

return cert;

}

然后我生成证书签名请求,并将其保存到csrFile文件：

public static void writeCertReq(File csrFile, String alias, String keyPass, KeyStore ks)

throws KeyStoreException,

NoSuchAlgorithmException,

InvalidKeyException,

IOException,

CertificateException,

SignatureException,

UnrecoverableKeyException {

Object objs[] = getPrivateKey(ks, alias, keyPass.toCharArray());

PrivateKey privKey = (PrivateKey) objs[0];

PKCS10 request = null;

Certificate cert = ks.getCertificate(alias);

request = new PKCS10(cert.getPublicKey());

String sigAlgName = "MD5WithRSA";

Signature signature = Signature.getInstance(sigAlgName);

signature.initSign(privKey);

X500Name subject = new X500Name(((X509Certificate) cert).getSubjectDN().toString());

X500Signer signer = new X500Signer(signature, subject);

request.encodeAndSign(signer);

request.print(System.out);

FileOutputStream fos = new FileOutputStream(csrFile);

PrintStream ps = new PrintStream(fos);

request.print(ps);

fos.close();

}

哪里

private static Object[] getPrivateKey(KeyStore ks, String alias, char keyPass[])

throws UnrecoverableKeyException, KeyStoreException, NoSuchAlgorithmException {

key = null;

key = ks.getKey(alias, keyPass);

return (new Object[]{ (PrivateKey) key, keyPass });

}

现在我应该使用CA私钥对CSR进行签名,但是我无法看到如何在java中实现这一点.我的jks中有“我自己的”CA私钥.

此外,一旦我设法签署CSR,我应该使用签名的CSR链接CA证书：如何在java中完成？

我宁愿不使用bc或其他外部库,只是“sun.security”类.

谢谢.