Creating an X509 Certificate in Java Without Bouncycastle

Creating an X509 Certificate in Java without BouncyCastle?

The ability to sign certificates is not part of a standard Java library or extension.

A lot of the code that is needed to do it yourself is part of the core. There are classes to encode and decode X.500 names, X.509 certificate extensions, public keys for various algorithms, and of course, for actually performing the digital signature.

Implementing this yourself is not trivial, but it is definitely doable—I probably spent 4 or 5 full days the first time I made a working prototype for certificate signing. It was a fantastic learning exercise for me, but it's hard to justify that expense when there are usable libraries available for free.

How to generate a self-signed certificate using only JDK supported classes?

Ok, then I guess it does not exist.

The RFE I submitted to the JDK has been accepted and there is now an official bug for it: http://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8165481

What is the API for generating self-signed certificates in Java 9-19?

You can use utility classes from OkHttp to achieve this

https://github.com/square/okhttp/tree/master/okhttp-tls

A HeldCertificate is a certificate and its private key. Use the builder to create a self-signed certificate that a test server can use for HTTPS:

String localhost = InetAddress.getByName("localhost").getCanonicalHostName();
HeldCertificate localhostCertificate = new HeldCertificate.Builder()
    .addSubjectAlternativeName(localhost)
    .build();

How to generate self-signed certificate in Java with JDK17

If anyone is interested, basic and crude implementation relying on keytool is available here: KeytoolCertificateGenerator.java

---

Related Topics