How to Extract Cn from X509Certificate in Java

How to extract CN from X509Certificate in Java?

Here's some code for the new non-deprecated BouncyCastle API. You'll need both bcmail and bcprov distributions.

X509Certificate cert = ...;

X500Name x500name = new JcaX509CertificateHolder(cert).getSubject();
RDN cn = x500name.getRDNs(BCStyle.CN)[0];

return IETFUtils.valueToString(cn.getFirst().getValue());

how to extract CN from X509Certificate in Java - without using Bouncy Castle?

The backslashes indicate that the second two name/value pairs aren't separate elements of the DN.

Parsing the CN out of a certificate DN

How about javax.naming.ldap.LdapName?

String dn = "CN=Jimmy Blooptoop,OU=Someplace,OU=Employees,DC=Bloopsoft-Inc";
LdapName ln = new LdapName(dn);

for(Rdn rdn : ln.getRdns()) {
    if(rdn.getType().equalsIgnoreCase("CN")) {
        System.err.println("CN is: " + rdn.getValue());
        break;
    }
}

It's not the most beautiful interface since there is something missing like LdapName#getByType(String) but it saves you the trouble of having to think about what strange features DNs might have.

Extract Issuer and Subject from certificate

While the certificate includes these information the public key does not. The public key is part of the certificate, not the certificate part of the public key.

Extraction of these information from the certificate can for example be done with a simple openssl x509 -in cert.pem -subject -issuer. Help on doing this in various programming languages is off-topic here since it is a pure programming question. But it can usually easily be found using a search engine.

How to extract the domain name out of an X509Certificate object during SslStream.AuthenticateAsClient? (.NET4)

I have done it the following way:

var cert2 = new X509Certificate2(cert);
string hostName = cert2.GetNameInfo(X509NameType.DnsName, false);

You may also check whether the certificate is valid:

bool valid = cert2.Verify();

(See this question for description of X509Certificate2 class)

How to extract the digest algorithm from a X509Certificate

A certificate contains only the signature algorithm OID which maps to a unique couple digest/algorithm. Therefore the easiest way to found the digest algorithm is to use a mapping table OID -> digest algo.

Unfortunately I know no centralized location where you can find these OID. However they can be collected in these RFC:

• Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
• Additional Algorithms and Identifiers for RSA Cryptography for use in the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
• Updates for RSAES-OAEP and RSASSA-PSS Algorithm Parameters
• Internet X.509 Public Key Infrastructure: Additional Algorithms and Identifiers for DSA and ECDSA

Parsing the algorithm name and splitting on "With" should work but with these limitations

• It may only work with Oracle Cryptography provider (see the documentation on signature algorithm naming conventions). Another provider, with its own certificate implementation, may use another incompatible naming convention.
• If the algorithm is unknown the getSigAlgName() method will return a String of the form OID.a.b.c.d.... For instance the SHA256withDSA algorithm is not supported by the old Java6 and will be printed OID.2.16.840.1.101.3.4.3.2

---

Related Topics