How do we create self-signed certificate using java packages

Hi All,
I require some information on creating self-signed certificate using java packages.
The java.security.cert.* package allows you to read Certificates from an existing store or a file etc. but there is no way to generate one afresh. See CertificateFactory and Certificate classes. Even after loading a certificate you cannot regenerate some of its fields to embed the new public key – and hence regenerate the fingerprints etc. – and mention a new DN. Essentially, I see no way from java to self-sign a certificate that embeds a public key that I have already generated.
I want to do the equivalent of ‘keytool –selfcert’ from java code. Please note that I am not trying to do this by using the keytool command line option – it is always a bad choice to execute external process from the java code – but if no other ways are found then I have to fall back on it.
Regards,
Chandra

I require some information on creating self-signed certificate using java packages. Its not possible because JCE/JCA doesn't have implementation of X509Certificate. For that you have to use any other JCE Provider e.g. BouncyCastle, IAIK, Assembla and etc.
I'm giving you sample code for producing self-signed certificate using IAIK JCE. Note that IAIK JCE is not free. But you can use BouncyCastle its open source and free.
**Generating and Initialising the Public and Private Keys*/
  public KeyPair generateKeys() throws Exception
      //1 - Key Pair Generated [Public and Private Key]
      m_objkeypairgen = KeyPairGenerator.getInstance("RSA");
      m_objkeypair = m_objkeypairgen.generateKeyPair();
      System.out.println("Key Pair Generated....");
      //Returns Both Keys [Public and Private]*/
      return m_objkeypair;
/**Generating and Initialising the Self Signed Certificate*/
  public X509Certificate generateSSCert() throws Exception
    //Creates Instance of X509 Certificate
    m_objX509 = new X509Certificate();
    //Creatting Calender Instance
    GregorianCalendar obj_date = new GregorianCalendar();
    Name obj_issuer = new Name();
    obj_issuer.addRDN(ObjectID.country, "CountryName");
    obj_issuer.addRDN(ObjectID.organization ,"CompanyName");
    obj_issuer.addRDN(ObjectID.organizationalUnit ,"Deptt");
    obj_issuer.addRDN(ObjectID.commonName ,"Valid CA Name");
    //Self Signed Certificate
    m_objX509.setIssuerDN(obj_issuer); // Sets Issuer Info:
    m_objX509.setSubjectDN(obj_issuer); // Sets Subjects Info:
    m_objX509.setSerialNumber(BigInteger.valueOf(0x1234L));
    m_objX509.setPublicKey(m_objkeypair.getPublic());// Sets Public Key
    m_objX509.setValidNotBefore(obj_date.getTime()); //Sets Starting Date
    obj_date.add(Calendar.MONTH, 6); //Extending the Date [Cert Validation Period (6-Months)]
    m_objX509.setValidNotAfter(obj_date.getTime()); //Sets Ending Date [Expiration Date]
    //Signing Certificate With SHA-1 and RSA
    m_objX509.sign(AlgorithmID.sha1WithRSAEncryption, m_objkeypair.getPrivate()); // JCE doesn't have that specific implementation so that why we need any //other provider e.g. BouncyCastle, IAIK and etc.
    System.out.println("Start Certificate....................................");
    System.out.println(m_objX509.toString());
    System.out.println("End Certificate......................................");
    //Returns Self Signed Certificate.
    return m_objX509;
  //****************************************************************

Similar Messages

  • Cookbook for creating Self Signed Certificates using certutil

    Hi,
    I am trying to create a self signed certifcate for internal use. Can anyone point to a step by step procedure? The few that I have found on the web don't seem to work.
    Thanks
    david

    Check out the examples at the bottom of this page:
    http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html

  • Problems generating a self-signed certificate using SDK

    Adobe AIR 1.1 SDK was extracted to "D:\AIR\SDK\" in XP Pro
    SP2 system. Also Java 2 runtime version 1.4 installed.
    When I'm trying to generate a self-signed certificate I typed
    the following in command line:
    D:\AIR\SDK\bin\adt.bat -certificate -cn SelfSign 2048-RSA
    newcert.p12 pass123
    After a short delay an "unable to create output file" message
    appears in command console and an empty (0 byte length) newcert.p12
    created.
    What may be the problem?
    Also I would like to know if there was another way to create
    self-signed certificates or is it possible to build air packages
    without signing the source code?
    Thanks in advance and sorry for bad English!

    I haven't seen this error occur before. It could indicate a
    full drive or similar condition that might prevent writing to the
    file.
    Can you try using Java 1.5? Although 1.4 is officially
    supported, I think 1.5 receives much more testing.
    You can create self-signed certificates using other tools. If
    you do that, make sure the certificate is marked as usable for
    code-signing; otherwise, adt won't accept it.
    You cannot create air packages without signing them.

  • How to monitor self signed certificates using scom 2007 R2

    How to monitor self signed certificates using scom 2007 R2.  i need to monitor specifically self signed certificates expiration. if  possible in two state monitor...please suggest me the best way..
    B John

    Hi,
    Based on my understanding, that you want to create a monitor to monitor certificate expiration, with two state, when the certificate is about expiration for 21 days,, send warning, when the certificate is about expiration for 10 days, then send
    alert. I think we need to create scripts to do so, hope the below links can be helpful:
    Monitoring Certificates In SCOM
    http://blogs.technet.com/b/omx/archive/2013/01/30/monitoring-certificates-in-scom.aspx
    Monitoring Expiring Certificates using SCOM
    http://blogs.technet.com/b/sgopi/archive/2012/05/18/monitoring-expiring-certificates-using-scom.aspx
    Regards,
    Yan Li
    Regards, Yan Li

  • How to import the self-signed certificate in runtime

    HI.
    I work to connect between JSSE client and OpenSSL server with self-signed certificate.
    But I met the SSLSocketException during handshaking.
    Many Solutions registered in this page.
    But their are all using keytool.
    My application connect many site support the self-signed certificate.
    So, I want to import the certificate in run time.
    How Can I do??
    Please, answer me..
    Thanks,

    did you figure this out??? I need to know how to accept a self-signed certificate, otherwise it's this exception...
    D:\javatools\apis\jsse1.0.2\samples\urls>java -cp jcert.jar;jnet.jar;jsse.jar;. URLReader
    Exception in thread "main" javax.net.ssl.SSLException: untrusted server cert chain
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.a([DashoPro-V1.2-120198])
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage([DashoPro-V1.2-120198])
    at com.sun.net.ssl.internal.ssl.Handshaker.process_record([DashoPro-V1.2-120198])
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
    at com.sun.net.ssl.internal.ssl.AppOutputStream.write([DashoPro-V1.2-120198])
    at java.io.OutputStream.write(OutputStream.java:61)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake([DashoPro-V1.2-120198])
    at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.doConnect([DashoPro-V1.2-120198])
    at com.sun.net.ssl.internal.www.protocol.https.NetworkClient.openServer([DashoPro-V1.2-12019
    8])
    at com.sun.net.ssl.internal.www.protocol.https.HttpClient.l([DashoPro-V1.2-120198])
    at com.sun.net.ssl.internal.www.protocol.https.HttpClient.<init>([DashoPro-V1.2-120198])
    at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.<init>([DashoPro-V1.2-120198])
    at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V1.2-120198])
    at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V1.2-120198])
    at com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.connect([DashoPro-V1.2-120
    198])
    at com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.getInputStream([DashoPro-V
    1.2-120198])
    at java.net.URL.openStream(URL.java:798)
    at URLReader.main(URLReader.java:46)

  • How to renew a self signed certificate

    Hello,
    Can someone tell me how I can renew a self signed certificate ? I can't find the relevant option with the certadmin command.
    thx,
    Tom.

    Hi,
    thanks I had scanned through that document, but it doesn't tell you how to renew a self signed certificate. I went through all the options of the certadmin tool, and renewing a certificate is not one of them. So I guess it must be done manually via some pki binary somewhere on my system, but which one and how ?

  • How to deploy self signed certificate using GPO

    Hello,
    I am applying a self-signed certificate for HTTPS inspection, as you know Firefox is not using Windows root certificate as IE & chrome did, so I did some research about this issue and check admx & FF GPO, nothing helped me !!
    Do anyone have any new idea on how to solve this issue?

    Well, this might not be much help, but for 10g, on AIX, docID 1171558.1 describes how to create a new certificate.
    Not sure how relevant it will be for 11g, sorry :(

  • How to erase all self signed certificates and force Server to use Signed SSL

    I have been using a poorly managed combination of self-signed SSL certificates and a free one. I have purchased a good SSL from Digicert and am trying to configure the server to use it across the board. All of the services seem to be using it, but when I try to manage the server remotely, I seeing a self-signed certificate instead.
    I look under the system keychain in K-Access and there are several self signed certificates there (including the one that I am seeing when I try to remote manage).
    Can I replace those self-signed certs with the new one some how?

    Don't delete those.  However, you are on the right track.  Follow these steps to resolve.
    1:  Launch Keychain Access
    2:  Select the System Keychain
    3:  Find the com.apple.servermgrd IDENTITY PREFERENCE (looks like a contact card) and double click to open it
    4:  In the Preferred Certificate popup, change com.apple.servermgrd to your purchased certificate
    5:  Press Save Changes to save.
    6:  Reboot the server or kill the servermgrd process to restart the service.
    That should resolve your issue.
    R-
    Apple Consultants Network
    Apple Professional Services
    Author "Mavericks Server – Foundation Services" :: Exclusively available on the iBooks store

  • Step by Step Instructions for Installing Self Signed Certificate using Certificate Modification Tool

    I am looking for some step by step instructions for installing the self signed certificate from my Microsoft SBS 2003 server on a Treo 755p and 750p.  In particular I need some help with the form of the actual certificate and how to use the Certificate Modification tool. 
    Some questions I have are as follows:
    1. When I install the certificate on a Windows Mobile device I used an exported version of the certificate.  This export is done using the DER x.509 format.  Is that the same form I’ll need for the Palm?  Do I need some other form? Can/should I just use sbscert.cer file that is generated when SBS is configured?
    2. Does the self signed cert need to be installed on the computer being used to update the Palm or do we just need to be able to access the appropriate .CER file?
    3. There are three things included in the PalmCertificatesTool.zip file:
                                    Trusted CAs (folder)
                                    Cert2pdb.exe
                                    PalmCertificates.exe
       How do I use these tools?
    4. It looks like the PalmCertificates.exe file opens an interface that will allow me to browse to the desired .CER file.  Then I suppose I use the < Generate PDB > to create something that needs to then be uploaded to the Palm device?  Not having any real experience with a Palm device how do I upload and install this file? 
    5. Once uploaded do I do something on the device to install it?
    If there is some white paper that provides step by step instructions on doing this that would be great.
    Thanks,
    Walt Bell
    Post relates to: Treo 755p (Verizon)
    Post relates to: Treo 755p (Verizon)

    Thanks for that.
    I have one question after reading the article 43375:
    The article has you "Turn of AutoSync" and then "Reset the device".  It then indicates the device should be left idle. 
    The next step relates to running the PalmCertificates.exe, navigate to the certificate file and add it and then run the < Generate PDB > button.  Should the device be connected to the computer during this process? If so, at what point after the reset do you connect it to the computer?
    Thanks!
    Post relates to: Treo 755p (Verizon)

  • Steps to create your own self signed certificate with java plugin working

    You need two tools that comes with your jdk which are keytool and jarsigner.
    Steps explain below in detail. Don't use netscape signtool, it will NEVER work!
    * keytool -genkey -keyalg rsa -alias tstkey -keypass 2br2h2m -dname "cn=Test Object Signing Certificate, o=AI Khalil, ou=Java Products, c=AU"
    cn = Certificate name
    o = organistation
    ou = organistation unit
    c = country (first two letters)
    If don't put the -dname, you can fill it line by line.
    The -keypass has to be verify at the end, and you have to wait for it to create the rsa signing keys.
    On NT by default it will put the alias information at D:\WINNT\Profiles\Administrator (if log in as administrator) with the default file called ".keystore". Windows 98 etc, don't know, search for .keystore
    file. When you update it, check for the timestamp change and you know if you at the right spot.
    You can store your alias information via the -storepass option to your current directory you work on, if you don't want to update the default .keystore file?
    The .keystore contains a list of alias so you don't have to do this process again and again.
    Another tip if you want your certificate encryption validity to be more than the default one month is simply
    add the -validity <valDays>, after the -genkey option, to make your certificate usage for encryption to last much longer.
    Note: You MUST use the -keyalg rsa because for starters the rsa encyption alogorthim is supported on ALL browsers instead of the default DSA and the other one SHA. Java plugins must work with the RSA algorthim when signing applets, else you will get all sorts of weird errors :)
    Do not use signtool because thats a browser dependant solution!! Java plugin is supposed to work via running it owns jre instead of the browser JVM. So if you going to use netscape signtool, it starts to become a mess! ie certificate will install, but applet won't start and give you funny security exception errors :)
    * keytool -export -alias tstkey -file MyTestCert.crt
    It will read the alias information in the .keystore information picking up the rsa private/public keys info and
    create your self sign certificate. You can double click this certificate to install it? But don't think this step is needed but maybe for IE? Someone else can check that part.
    If you make a mistake with the alias, simply keytool -delete -v -alias <your alias key>
    If not in default .keystore file, then simply keytool -delete -v -alias <your alias key> -keystore <your keystore filename>
    * Put your classes in your jar file, my example is tst.jar.
    * jarsigner tst.jar tstkey
    Sign your testing jar file with your alias key that supports the RSA encryption alogorthim.
    * jarsigner -verify -verbose -certs tst.jar
    Check that its been verified.
    The last step is the most tricky one. Its to do with having your own CA (Certified Authority) so you don't
    have to fork out money straight away to buy a Verisign or Twarte certificate. The CA listing as you see in
    netscape browsers under security/signers, is NOT where the plugin looks at. The plugin looks at a file called
    CACERTS. Another confusion is that the cacerts file is stored in your jre/lib/security AND also at your
    JavaSoft/Jre/<Java version>/lib/security. When you install the Java plugin for the first time in uses your
    JavaSoft folder and its the cacerts file that has to be updated you add your own CA, because thats where
    the plugin look at, NOT THE BROWSER. Everything about plugin is never to do with the browser!! :)
    * keytool -import -file MyTestCert.crt -alias tstkey -keystore "D:\Program Files\JavaSoft\JRE\1.3.1\lib\security/cacerts"
    Off course point to your own cacerts file destination.
    Password to change it, is "changeit"
    Before you do this step make a copy of it in its own directory in case you do something silly.
    This example will add a CA with alias of my key called "tstkey" and store to my example destination.
    * keytool -list -v -keystore "E:/jdk/jdk1.3/jre/lib/security/cacerts"
    List to see if another CA is added with your alias key.
    Your html, using Netscape embed and Internet explorer object tags to point to the java plugin,
    your own self sign applet certificate should work
    Cheers
    Abraham Khalil

    I follow Signed Applet in Plugin, and it's working on
    my computer. Thanks
    But When I open my applet from another computer on
    network, why it does not work ..?
    How to make this applet working at another computer
    without change the policy file ..?
    thanks in advance,
    AnomYou must install the certificate on that computers plugin. Can this be done from the web? can anyone suggest a batch file or otherwise that could do this for end users?
    I want a way for end users to accept my cert as Root or at least trust my cert so I dont have to buy one. I am not worried about my users refusing to accept my cert. just how do I make it easy for them? IE you can just click the cert from a link, but that installs for IE, and not the plugin where it needs to be.

  • How to issue a self-signed certificate to match Remote Desktop Gateway server address requested

    I have an RDG server named gw.domain.local with port 3389/tcp forwarded from
    gw.example.com.
    Using RDGM snap-in I created a self-signed SSL certigicate with FQDN gw.example.com.
    But when I connect over RDP from outside the local network I'm getting an error:
    Your computer can't connect to the computer because the Remote Desktop Gateway server address requested and the certificate name do not match
    Because certificate subject name is gw.domain.local indeed.
    So there question is: how to issue a certificate properly, or how to assign an existing one the name to match?

    Hi,
    Thanks for your post in Windows Server Forum.
    The certificate error which you are facing seems like certificate mismatch error, something like the security certificate name presented by the TS Gateway server does not match the TS Gateway name. You can try reconnecting using the FQDN name of the TS Gateway
    server. You can refer below article for more troubleshooting.
    TS Gateway Certificates Part III: Connection Time Issues related to TS Gateway Certificates
    And for creating a SSL certificate for RD gateway, you can refer beneath articles.
    1.  Create a Self-Signed Certificate for the Remote Desktop Gateway Server
    2.  Obtain a Certificate for the Remote Desktop Gateway Server
    Hope it helps!
    Thanks,
    Dharmesh

  • How to renew your self-signed certificate p12 with Flash Builder

    I have been using a self-signed certificate (generated using Adobe Flash Builder 4.7) for my Android app. The app is live on Google Play market but the certificate is going to expire soon, and I know if I create new certificate and update my app, existing Android users will not be able to auto-update the app (as the App's Signature has been changed). I would like to know how can we re-new the self-signed Certificate .p12 with Flash Builder?
    Thank you very much.

    After doing my research about the self-signed certificate created by Adobe Flash Builder , I realized that was my mistake to think that the certificate would expire soon. I doubled check the expiration date of my self-signed certificate and the date was set to 35 years after I generated it using flash builder 4.7 (which is very safe).
    For anyone who wants to check the self-signed .p12 expiration date you follow the instruction from this link:
    http://bsdsupport.org/how-do-i-determine-the-expiration-date-of-a-p12-certificate/
    Hope it helps

  • How to Increase ACS self signed certificate.

    I'm using ACS 4.0 for Windows.
    How can I increase the validity of a self signed certificate from one year to more years?
    Thanks.
    Andrea.

    It is not possible to extend it. You have to re-issue the cert every year. You can either buy a certificate or setup your own CA to extend the time.

  • In Firefox 4.0 with a Server with a self signed certificate using IPv6 I can not add a "Security Exception" for this certificate.

    In Firefox 4.0 I have a server ... it contains a self signed certificate. Using IPv6 I can not add a "Security Exception" for this certificate.
    1. I log onto the server (using IPv6). I get the "Untrusted connection page" saying "This connection is Untrusted"
    2. I click on "Add Exception.." under the "I understand the Risks" section.
    3. The "Add Security Exception" dialog comes up. soon after the dialog comes up I get an additional "Alert" dialog saying
    An exception occured during connection to xxxxxxxxx.
    Peer's certificate issuer has been marked as not trusted by the User.
    (Error code sec_error_untrusted_issuer).
    Please note that this works in Firefox 3.6.16 (in IPv4 and IPv6). It also works in Firefox 4.0 in IPv4 only IPv6 has an issue. What's wrong?

    Exactly the same problem, except I'm using FF v6 for Windows, not FF v4 as for the lead post. This is for a self-cert which IS trusted, although the error message says it isn't.

  • How-to install a self-signed certificate on Sony Ericcson W350

    I am a developer and I am writing a j2me application for a Sony Ericcson W350 phone which needs to be able to use the phones SMS capabilities.  I have a signed .jar and .jad file with a self-signed certificate.  However, the phone is still treating my application as an untrusted third party app.  I think this is occuring because my self-signed certificate isn't in the java certificate store on the phone. Is there a way to load my self-signed certificate into the java certificate store?  I have tried copying it over to the phone via bluetooth and usb and installing it through the filesystem, however there isn't an option to install the certificate when browsing to it from the phone's filesystem.  Any help would be much appricated.

    Deactivating existing Java certificates prevented me from installing the .jad file.  I accessed the phone's file system using both Sony PC Companion with USB and using the OS file browser over bluetooth.

Maybe you are looking for

  • All of a sudden when i click any button or link a new window opens with an ad

    I have used Firefox for about 7 years. No issues... I recently installed Ghostery add on. The only way to describe it is: I go to a page.. Click a link (or close to it) or enter or any other button/link that would take me to what I expect.. BUT inste

  • W540 Washed out look in Word

    I've just received my W540 and am using office 2013 on it. Does anyone know how to improve the screen so that things like Word right-click menus do not look so faded. Surely the screen can't be that bad, can it?  The blacks are poor but I would have

  • Exception raised using JComboBox with JUComboBoxBinding in a JTable

    Hello, I am using JDeveloper 9.0.3.1035. I have a JTable bound to a bc4j view object. Now I want to use a JComboBox to select the value for a foreign key column in that Table. For this I have followed the HOWTO posted by Arno van der Kolk in Thread J

  • Problem using RSCRM_BAPI

    Hi all: I am trying to use t-code rscrm_bapi... but its giving me error in technical name of the extract and path for .csv file, when i select the option "extract". I need query output in .csv file. can someone send me the detailed steps for this ? A

  • How do I uninstall and reinstall i tunes on my phone?

    Could anybody help with this?  I can't access any of my apps.  When I try to get new apps, it says that I can't connect to the apple store.