Use BC to generate certificate

Hello, everyone,
I am trying to generate my own certificate instead of asking it from a CA such as verisign.com. And I know that the provider from Sun can not do that. So, I turned to BC provider. But, I really have no idea about how to generate my certificate programmablely. Is there any tutorial or sample code talking about how to do that using BC? Or, is there any other method to learn how to do that?
Your help is highly appreciated!
Regards

X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator();
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA"); // key pair algorithm
keyPairGenerator.initialize(1024); // key size
KeyPair keyPair = keyPairGenerator.generateKeyPair(); // generate keys
int usage = X509KeyUsage.digitalSignature | X509KeyUsage.dataEncipherment; // set key usage, it's optional
X509KeyUsage keyUsage = new X509KeyUsage(usage);
certificateGenerator.addExtension("2.5.29.15", false, keyUsage);
certificateGenerator.setSerialNumber(BigInteger.ONE); // set serial number
String x509Name = "CN=SomeName";
certificateGenerator.setIssuerDN(new X509Name(x509Name));
certificateGenerator.setSubjectDN(new X509Name(x509Name));
Calendar nextYearDate = Calendar.getInstance();
nextYearDate.add(Calendar.YEAR, 1); // Valid for 1 year
certificateGenerator.setNotAfter(nextYearDate.getTime());
certificateGenerator.setNotBefore(Calendar.getInstance().getTime());
certificateGenerator.setSignatureAlgorithm("SHA1withRSA");
certificateGenerator.setPublicKey(keyPair.getPublic());
String alias = Long.toHexString(SecureRandom.getInstance("SHA1PRNG").nextLong());
X509Certificate certificate = certificateGenerator.generateX509Certificate(keyPair.getPrivate());

Similar Messages

  • Can i generate certificates using java api

    can i generate certificates signed by my private key using java API.
    I found cetificatFactory must generate a certificate from a file,
    but how can i generate this file?
    Thanks

    visit :
    http://java.sun.com/j2se/1.3/docs/tooldocs/win32/jarsigner.html
    http://java.sun.com/j2se/1.3/docs/tooldocs/win32/keytool.html
    u can create ur own certificate
    Edward

  • SSL: how to use Multiple Private key/Certificate pair for authentication.

    Hi all,
    i am implementing SSL in java using X509 Certificate/private key combination.
    i have two set of private key/certificate pair.
    one is factory default and another is generated at run time.
    my problem is to try ssl connection with both pairs on same tcp/ip connection.
    e.g. on server side: first try ssl connection with factory default certificate, if it fails try connecting with generated certificate on same tcp/ip connection.
    on client side: if generated certificate(this certificate was generated at server side) is present first perform server authentication using this certificate otherwise authenticate server with factory default certificate.
    can someone please help and let me know how do i need to configure both ends(client and server) for achieving the same.
    Thanks In Advance
    Saurabh Ahuja

    Client code does not contain any default truststore and needs a certificate for authentication.Of course it does. OpenSSL has a way of doing that: some kind of equivalent for the truststore. None of the stuff you've posted here about generating certificates at runtime has any bearing on that problem.
    It's like this. The idea of PKI with SSL is as follows:
    - the server has a private key and a signed certificate. Preferably it's signed by a CA that the client already trusts, otherwise if it's self-signed it has to be exported from the server's keystore and imported into the truststores of all the clients.
    - the client has a truststore that trusts the server, one way or the other, see above.
    - the server's private key is private to it. Nobody else has it. Nobody else can ever get it. If it ever leaks, the server is compromised, and server authentication via that private key now means absolutely nothing. You have lost security.
    - the server sends its cert to the client along with a digital signature signed by its private key.
    - the client (a) decides whether it trusts the cert, via its truststore, and (b) verifies the digital signature, which establishes that the server owns the certificate.
    At this point the server is authenticated to the client and the SSL connection is open. It can now be used as an ordinary socket connection.
    If you want client authentication too, you need all the above in reverse as well, i.e. reading server for client and client for server throughout. Note particularly that each client must have its own private key. Otherwise the private key isn't private, so signing something with it doesn't establish ownership, so client authentication isn't valid.
    You need to understand all this stuff and relate it to the apparently broken security design of your application. Generating a private key and a certificate at runtime is complete nonsense within the context of PKI and SSL. It proves nothing, establishes nothing, authenticates nothing; it just wastes time.

  • Self Generated certificate validity issue in ACS 4.0 for Windows

    Hi,
    Is there any solution to extend the validity time of self generated certificate on ACS, by default the validity is set for one year.
    As the server certificate on one of the ACS which is CA has expired and need to renew it.
    Is it possible only one certificate from third party can be used both as a server certificate and certificate from CA for other ACS servers.
    Thanks in Advance
    Regards,
    Ahmed

    Other solution would be to create an in house(Microsoft probably) CA, and get a certificate for your ACS server. Go through the installation steps of Microsoft CA before, as the validity date for Server Certificate(i guess) is configured during initial install of CA.
    Regards,
    Prem

  • HTTPS using SOAP and sharing certificates

    Hi Experts,
    We have been able to activate HTTPS port in our PI system and created a scenario with SOAP sender with option -- >> HTTPS without client authentication.
    Now, we generated the URL from sender agreement -- >> https:<host>:<port>:XISOAPAdapter/MessageServlet?........
    When we try to test this from SOAPUI, an error message is received that - Client Certificate is required.
    Now in NWA, under Security - >> SSL, we could find Private key and have uploaded the same in SOAPUI Keystore... But the error persists.
    Just to emphasie we are just using self-generated certificate which is not signed by any CA.
    Now questions or rather confusions:
    1. If PI is hosting a service ( SOAP Sender ), exactly what kind of certificate should be exported and imported into SOAPUI or third party ? Private key PK8, PK12 or simply Certificate ?? Where exactly is the Public key ?
    2. In case third party hosts the service and PI needs to consume it, I assume third party will share their certificates. Will they share public or private key ? Shall we simply upload it in our key store and it will work ?
    3. In case PI and Third Party both are hosting the services so do we need 2 Set of certificates for scenarios to work ? ( One generated at each server ?)
    I have read blogs, discussions but have seen varying opinions and hence wanted to clarify.
    Thanks..
    regards,
    Omkar.

    Please go through this link - HTTP and SSL - SAP NetWeaver Process Integration Security Guide - SAP Library
    "A general prerequisite for using HTTPS in both SAP NetWeaver Application Server (AS) ABAP and Java is that the SAP Cryptographic Library is installed on the AS. In addition, the certificates (for example an X.509 certificate) used must have been issued by a company-internal Certification Authority (CA), or by an external trusted CA such as Thawte, Verisign, or TC Trustcenter."

  • Generate certificates valid for smart card (Windows logon) with third party PKI (not Microsoft)

    Hello everyone
    today I am working on a mounted on a Red Hat Enterprise PKI
    Linux Server release 5.5 (Tikanga) is Easycert 5.2.2.15. We need to know what are the necessary data that we have to go to the PKI so it can generate certificates of users in Active Directory for use with a USB Token (ACOS5-64 CHIP CRYPTO) functioning as Smart
    Card to make the login of users on computers.
    On the other hand also we need to know the necessary settings between the third party pki and the domains controllers (Windows 2012).
    Greetings and I hope for you response.
    TechCach

    > It is for Windows 2012.
    nothing changed since Windows Server 2003. Here is a KB article:
    http://support2.microsoft.com/kb/281245
    > Is
    the
    scenario
    supported
    by
    microsoft?
    yes, of course. See KB article above.
    My weblog: en-us.sysadmins.lv
    PowerShell PKI Module: pspki.codeplex.com
    PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
    Check out new: SSL Certificate Verifier
    Check out new:
    PowerShell FCIV tool.

  • Install self generated certificates

    Hi all,
    Can anyone advise on how to install a self generated certificates as a trusted server/client server?
    Regards
    Ken

    Hi Ken,
    Which version of WebServer are you using?
    The following docs for WebServer 6.1 sp5 gives all of the information that you should need about installing certificates:
    http://docs.sun.com/source/819-0130/agcert.html#wp1004981
    Hope this helps

  • Why, when I successfully connect to Server 2012 Essentials R2 via Anywhere Access does the Remote Desktop Connection use the self signed certificate for RDP instead of the SSL certificate I installed when I set up access anywhere?

    Scenario:
    Windows Server 2012 R2 Essentials
    I purchased an SSL Cert from GoDaddy and I managed (after some challenges) to set up Anywhere access to use that new SSL Cert. I to rebooted the server and I am able to login to Anywhere Access vis https (using the SSL certificate) from PC, Mac and iOS.
    So far so good.
    The problem I am having is that when I click to launch a remote desktop connection to the server RDP connection wants to use the self signed SSL certificate of the server rather than the SSL Certificate I installed into Anywhere Access. As a result, I get
    a security warning like this: "The identity of the remote computer cannot be verified. Do you want to connect anyway?"
    The name in the certificate appears as ACME-SERVER.ACMEDOMAIN.local  instead of the SSL Certificate I installed, which is
    remote.acmedomain.com
    If I lick to accept, RDP does work fine, it;s just using a self signed certificate. I want it to use the trusted certificate that I purchased and installed.
    My guess is that there must be an additional step to tell Anywhere Access that when it generates the RDP session that it should use the cert? OR, is this just how it works?

    Because....
    the server does not have a 'trusted' certificate assigned to it.
    Only the RDP Gateway has the trusted certificate for the external name.
    If you want to remove that error, you have to do one of the following:
    Make sure your domain uses a public top level domaim, and get a public trusted certificate for your server.
    So, something like,
    server.domain.publicdomain.com
    Or,
    Install that certificate on your remote computer so it is trusted.
    Robert Pearman SBS MVP
    itauthority.co.uk |
    Title(Required)
    Facebook |
    Twitter |
    Linked in |
    Google+

  • Generating certificate with predefined certificate SerialNumber field

    Hi!
    I need to generate certificate (programmatically or using keytool), which should contain predefined serial number in. F.e.:, after generating certificate we see:
    Owner: CN=SomeBody, O=SomeBody.com, L=A, C=B
    Issuer: CN=SomeBody, O=SomeBody.com, L=A, C=B
    Serial number: 25fca39d
    Valid from: Fri Feb 13 12:15:09 EET 2004 until: Sat Feb 12 12:15:09 EET 2005
    Certificate fingerprints:
             MD5:  87:41:93:58:71:7C:DC:59:50:F2:79:92:86:CC:0A:8C
             SHA1: 24:2B:27:6B:17:AB:9B:6D:1D:6D:4F:A0:D9:CA:42:AC:51:5D:6A:54Field "Serial number" should be predefined. Am I able to do this?
    Thanks.

    keytool doesn't seem to do it, and Java doesn't really offer much help in programmatically creating certificates at all.
    However, at least glancing at the documentation, the bouncycastle (http://www.bouncycastle.org ) provider seems to have this capability. See for example the classes
    org.bouncycastle.x509.X509V1CertificateGenerator and org.bouncycastle.x509.X509V3CertificateGenerator

  • CIsco ISE use two different local certificates for EAP

    Hi Experts,
    ISE 1.2.1.198
    It is possible to use two different local certificates on cisco ISE, generated by two different root CA, for EAP?
    Example:
    1 - Microsoft CA for notebooks
    2 - Different CA (public, openssl, other) for mobiles
    And, in case it is possible, which will be the first one presented from the server to the client for EAP-TLS authentication?
    Thanks
    Andrea

    Thanks for your reply,
    i think i'll go for another pair of PSN for the mobiles
    Andrea

  • Using SQVI to generate report of open and released delivery schedule lines

    All,
    I'm using SQVI  to generate an excel spreadsheet for some buyers to show open released schedule lines because they are a 1 line item per scheduling agreement company.
    I used the logical database MEPOLDB instead of a table joint and pulled fields from EKKO(vendor, SA #,&purchasing group), EKPO(Material Number), EKEH(schedule line type), and EKET(delivery date, scheduled qty,previous qty).
    Does this sound like I'll get the results I want on paper as long as I use the right selection criteria, because the report I'm getting isn't quite what I expect? I am unable to identify which lines are authorized to ship vs. trade-off zone, planning, etc. in the report thus far.

    Hi Mark,
                 I have faced same requirement. I am not sure about transporting to TST and PROD. I done by this way.
    After generating SQVI program in DEV , I assigned that program  to a transaction and tested in DEV. Later i have regenarated SQVI in Production. then I assigned the generated Program to same transaction in DEV. And transported the Tcode assignment of program to Production..
    About authorization , if its not sensitive report, BASIS can restrict at transaction level.
    Regards,
    Ravi.

  • I want to use the Function Generator VI to send command signals through the NI 7344 motion controller. This will be a closed loop servo valve system. I want to be able to change from say a square wave to a sine wave on the fly. Idea's?

    I am going to run tests that require an actuator to move using various types of arbitrary waveforms such as sine or square. The NI 7344 is hooked to the UMI that is going through a driver for a servo valve. The loop is analog and it is closed. I have played with some of the examples but can't get it to work. I have used the function generator VI to generate a signal but I think I am using the wrong input VI to the motion control board. When I use what I have it moves the servo and then stops. It doesn't continually generate the signal.
    I would love to use the controls on the function generator vi to control frequency and amplitude ect. Any help or pointer would be helpful. Thank you in advance.

    Hello,
    I'm not clear on exactly how you want to use the generated data but I'm assuming they will be used as your target points.
    There's a built-in example for motion called 'One-Axis Contour Move.vi'. This example demonstrates how to provide your target points as 1-D array. All you need to do is to replace the input array with the output of the function generator. In order to have it run continuously, use a while loop. You can further program your application so that it'll change the waveform on the fly by monitoring the user interface but this might be little little tricky as you will need to reset the move and load the new generated points while keeping track of your current position.
    I hope this helps. Let me know if you have further questions regarding this
    application.
    Best regards,
    Yusuf C.
    Applications Engineering
    National Instruments

  • Using mathscript to generate multiple digital outputs for switch control

    Hello 
    I am new to this NI LV and a have kind of a basic question. I would like to use Mathscript to generate an array of bolean numbers which will be used to control the Digital I/O lines. I am using NI 6251 USB device and the Mathscript code runs well. But I have a problem using this array to control the Digital output. So I created a simple test programme where I set the DAQ assitant to generate 4 digital outputs(P0.0 ~ P0.3) and it gives error that  ".. number of channels in the data does not match the number of channels in the task..." (see attachment) . How can I solve this problem thank you.
    Attachments:
    K-9.jpg ‏36 KB

    looks like you did not initialize all 4 of the elements in the bool array....

  • Using JarSettings to generate EJB client jar, but supported classes missed

    Appreciated for any comments in advance.
    I am using @jarSetting to generate EJB client jar file from workshop 9.2. The remote method of EJB has one input parameter that is defined as an interface. The interface is included in client jar, but the implementation of this interface is not.
    Please advise how I can add the implementation of this interface to client jar?
    Best Regards,
    James

    Hi James,
    I believe the algorithm for creating the client jar is to simply inspect the EJB interfaces using reflection and to include all user defined classes and exceptions that are referenced by the interfaces. In your case, it sounds like a class is not being included because it is not directly referenced by one of the EJB interfaces.
    I think the client jar creation algorithm can be described as "best effort" and unfortunately, it does not always end up including all classes needed by the client. I would recommend you add the additional classes manually using the jar tool.
    - Matt

  • Using PHP to generate images in alternate colors

    I have a PNG image of a black silhouette graphic with
    softened edges against a transparent background.
    Can I use PHP to generate this image in alternate colors
    (allowing the black graphic to be displayed in a color other than
    black)?

    AngryCloud posted in macromedia.dreamweaver:
    > I have a PNG image of a black silhouette graphic with
    softened
    > edges against a transparent background.
    >
    > Can I use PHP to generate this image in alternate colors
    > (allowing the black graphic to be displayed in a color
    other than
    > black)?
    I have no experience with this, but I was just poking around
    in the GD
    references and found a comment on imagefill() that might
    help:
    http://us.php.net/manual/en/function.imagefill.php
    Comment:
    http://us.php.net/manual/en/function.imagefill.php#81873
    Or you may need to work with some of the other alpha
    functions.
    Mark A. Boyd
    Keep-On-Learnin' :)

Maybe you are looking for