List of usage examples for org.bouncycastle.asn1.x509 Extension keyUsage
ASN1ObjectIdentifier keyUsage
To view the source code for org.bouncycastle.asn1.x509 Extension keyUsage.
Click Source Link
From source file:be.fedict.trust.test.PKITestUtils.java
License:Open Source License
public static X509Certificate generateCertificate(PublicKey subjectPublicKey, String subjectDn, DateTime notBefore, DateTime notAfter, X509Certificate issuerCertificate, PrivateKey issuerPrivateKey, boolean caFlag, int pathLength, String crlUri, String ocspUri, KeyUsage keyUsage, String signatureAlgorithm, boolean tsa, boolean includeSKID, boolean includeAKID, PublicKey akidPublicKey, String certificatePolicy, Boolean qcCompliance, boolean ocspResponder, boolean qcSSCD) throws IOException, InvalidKeyException, IllegalStateException, NoSuchAlgorithmException, SignatureException, CertificateException, OperatorCreationException { X500Name issuerName;// w w w . ja v a 2 s . c o m if (null != issuerCertificate) { issuerName = new X500Name(issuerCertificate.getSubjectX500Principal().toString()); } else { issuerName = new X500Name(subjectDn); } X500Name subjectName = new X500Name(subjectDn); BigInteger serial = new BigInteger(128, new SecureRandom()); SubjectPublicKeyInfo publicKeyInfo = SubjectPublicKeyInfo.getInstance(subjectPublicKey.getEncoded()); X509v3CertificateBuilder x509v3CertificateBuilder = new X509v3CertificateBuilder(issuerName, serial, notBefore.toDate(), notAfter.toDate(), subjectName, publicKeyInfo); JcaX509ExtensionUtils extensionUtils = new JcaX509ExtensionUtils(); if (includeSKID) { x509v3CertificateBuilder.addExtension(Extension.subjectKeyIdentifier, false, extensionUtils.createSubjectKeyIdentifier(subjectPublicKey)); } if (includeAKID) { PublicKey authorityPublicKey; if (null != akidPublicKey) { authorityPublicKey = akidPublicKey; } else if (null != issuerCertificate) { authorityPublicKey = issuerCertificate.getPublicKey(); } else { authorityPublicKey = subjectPublicKey; } x509v3CertificateBuilder.addExtension(Extension.authorityKeyIdentifier, false, extensionUtils.createAuthorityKeyIdentifier(authorityPublicKey)); } if (caFlag) { if (-1 == pathLength) { x509v3CertificateBuilder.addExtension(Extension.basicConstraints, true, new BasicConstraints(2147483647)); } else { x509v3CertificateBuilder.addExtension(Extension.basicConstraints, true, new BasicConstraints(pathLength)); } } if (null != crlUri) { GeneralName generalName = new GeneralName(GeneralName.uniformResourceIdentifier, new DERIA5String(crlUri)); GeneralNames generalNames = new GeneralNames(generalName); DistributionPointName distPointName = new DistributionPointName(generalNames); DistributionPoint distPoint = new DistributionPoint(distPointName, null, null); DistributionPoint[] crlDistPoints = new DistributionPoint[] { distPoint }; CRLDistPoint crlDistPoint = new CRLDistPoint(crlDistPoints); x509v3CertificateBuilder.addExtension(Extension.cRLDistributionPoints, false, crlDistPoint); } if (null != ocspUri) { GeneralName ocspName = new GeneralName(GeneralName.uniformResourceIdentifier, ocspUri); AuthorityInformationAccess authorityInformationAccess = new AuthorityInformationAccess( X509ObjectIdentifiers.ocspAccessMethod, ocspName); x509v3CertificateBuilder.addExtension(Extension.authorityInfoAccess, false, authorityInformationAccess); } if (null != keyUsage) { x509v3CertificateBuilder.addExtension(Extension.keyUsage, true, keyUsage); } if (null != certificatePolicy) { ASN1ObjectIdentifier policyObjectIdentifier = new ASN1ObjectIdentifier(certificatePolicy); PolicyInformation policyInformation = new PolicyInformation(policyObjectIdentifier); x509v3CertificateBuilder.addExtension(Extension.certificatePolicies, false, new DERSequence(policyInformation)); } if (null != qcCompliance) { ASN1EncodableVector vec = new ASN1EncodableVector(); if (qcCompliance) { vec.add(new QCStatement(QCStatement.id_etsi_qcs_QcCompliance)); } else { vec.add(new QCStatement(QCStatement.id_etsi_qcs_RetentionPeriod)); } if (qcSSCD) { vec.add(new QCStatement(QCStatement.id_etsi_qcs_QcSSCD)); } x509v3CertificateBuilder.addExtension(Extension.qCStatements, true, new DERSequence(vec)); } if (tsa) { x509v3CertificateBuilder.addExtension(Extension.extendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_timeStamping)); } if (ocspResponder) { x509v3CertificateBuilder.addExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nocheck, false, DERNull.INSTANCE); x509v3CertificateBuilder.addExtension(Extension.extendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_OCSPSigning)); } AlgorithmIdentifier sigAlgId = new DefaultSignatureAlgorithmIdentifierFinder().find(signatureAlgorithm); AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId); AsymmetricKeyParameter asymmetricKeyParameter = PrivateKeyFactory.createKey(issuerPrivateKey.getEncoded()); ContentSigner contentSigner = new BcRSAContentSignerBuilder(sigAlgId, digAlgId) .build(asymmetricKeyParameter); X509CertificateHolder x509CertificateHolder = x509v3CertificateBuilder.build(contentSigner); byte[] encodedCertificate = x509CertificateHolder.getEncoded(); CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); X509Certificate certificate = (X509Certificate) certificateFactory .generateCertificate(new ByteArrayInputStream(encodedCertificate)); return certificate; }
From source file:beta01.CreateCertByCsr.java
public CreateCertByCsr() throws Exception { //read p12//from w w w . j a v a 2s . com KeyStore pkcs12Store = KeyStore.getInstance("PKCS12", "BC"); pkcs12Store.load(new FileInputStream("D:\\rootPrivateKey.p12"), "pass".toCharArray()); //read root key pair and certificate PrivateKey privateKey = null; PublicKey publicKey = null; X509Certificate rootCert = null; for (Enumeration en = pkcs12Store.aliases(); en.hasMoreElements();) { String alias = (String) en.nextElement(); if (pkcs12Store.isCertificateEntry(alias)) { rootCert = (X509Certificate) pkcs12Store.getCertificate(alias); Certificate cert = pkcs12Store.getCertificate(alias); publicKey = cert.getPublicKey(); } else if (pkcs12Store.isKeyEntry(alias)) { privateKey = (PrivateKey) pkcs12Store.getKey(alias, "pass".toCharArray()); } } //read CSR String fileName = "CSR_DSA"; FileReader fileReader = new FileReader("D:\\" + fileName + ".p10"); PemReader pemReader = new PemReader(fileReader); PKCS10CertificationRequest csr = new PKCS10CertificationRequest(pemReader.readPemObject().getContent()); //create certf JcaX509CertificateHolder holder = new JcaX509CertificateHolder(rootCert); X509v3CertificateBuilder certBuilder; certBuilder = new X509v3CertificateBuilder(holder.getSubject(), BigInteger.valueOf(System.currentTimeMillis()), new Date(System.currentTimeMillis()), new Date(System.currentTimeMillis() + 7 * 24 * 60 * 60 * 1000), csr.getSubject(), csr.getSubjectPublicKeyInfo()); certBuilder.addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature)); SignatureAlgorithmIdentifierFinder algFinder = new DefaultSignatureAlgorithmIdentifierFinder(); AlgorithmIdentifier sigAlg = algFinder.find("SHA512withRSA"); AlgorithmIdentifier digAlg = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlg); //RSAPrivateKey rsa = (RSAPrivateKey) privateKey; //AsymmetricCipherKeyPair ss =new AsymmetricCipherKeyPair // RSAKeyParameters rsaP = new RSAPrivateCrtKeyParameters(rsa.getModulus(), rsa.getPublicExponent(), // rsa.getPrivateExponent(), rsa., BigInteger.ONE, BigInteger.ONE, BigInteger.ONE, BigInteger.ONE); //ContentSigner signer = new BcRSAContentSignerBuilder(sigAlg, digAlg).build((AsymmetricKeyParameter) privateKey); // AsymmetricCipherKeyPair sd = new AsymmetricCipherKeyPair(null, null) ContentSigner signer = new JcaContentSignerBuilder("SHA512withRSA").setProvider("BC").build(privateKey); X509CertificateHolder holder2 = certBuilder.build(signer); new SimpleGenCert().converToPem(holder2, fileName); }
From source file:beta01.SimpleRootCA.java
/** * Build a sample V3 certificate to use as an intermediate CA certificate * @param intKey//from w ww . j a v a 2 s.c om * @param caKey * @param caCert * @return * @throws java.lang.Exception */ public static X509CertificateHolder buildIntermediateCert(AsymmetricKeyParameter intKey, AsymmetricKeyParameter caKey, X509CertificateHolder caCert) throws Exception { SubjectPublicKeyInfo intKeyInfo = SubjectPublicKeyInfoFactory.createSubjectPublicKeyInfo(intKey); X509v3CertificateBuilder certBldr = new X509v3CertificateBuilder(caCert.getSubject(), BigInteger.valueOf(1), new Date(System.currentTimeMillis()), new Date(System.currentTimeMillis() + VALIDITY_PERIOD), new X500Name("CN=Test CA Certificate"), intKeyInfo); X509ExtensionUtils extUtils = new X509ExtensionUtils(new SHA1DigestCalculator()); certBldr.addExtension(Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCert)) .addExtension(Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(intKeyInfo)) .addExtension(Extension.basicConstraints, true, new BasicConstraints(0)) .addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign | KeyUsage.cRLSign)); AlgorithmIdentifier sigAlg = algFinder.find("SHA1withRSA"); AlgorithmIdentifier digAlg = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlg); ContentSigner signer = new BcRSAContentSignerBuilder(sigAlg, digAlg).build(caKey); return certBldr.build(signer); }
From source file:beta01.SimpleRootCA.java
/** * Build a sample V3 certificate to use as an end entity certificate *///from w w w . ja v a2 s . com public static X509CertificateHolder buildEndEntityCert(AsymmetricKeyParameter entityKey, AsymmetricKeyParameter caKey, X509CertificateHolder caCert) throws Exception { SubjectPublicKeyInfo entityKeyInfo = SubjectPublicKeyInfoFactory.createSubjectPublicKeyInfo(entityKey); X509v3CertificateBuilder certBldr = new X509v3CertificateBuilder(caCert.getSubject(), BigInteger.valueOf(1), new Date(System.currentTimeMillis()), new Date(System.currentTimeMillis() + VALIDITY_PERIOD), new X500Name("CN=Test End Entity Certificate"), entityKeyInfo); X509ExtensionUtils extUtils = new X509ExtensionUtils(new SHA1DigestCalculator()); certBldr.addExtension(Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCert)) .addExtension(Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(entityKeyInfo)) .addExtension(Extension.basicConstraints, true, new BasicConstraints(false)) .addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment)); AlgorithmIdentifier sigAlg = algFinder.find("SHA1withRSA"); AlgorithmIdentifier digAlg = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlg); ContentSigner signer = new BcRSAContentSignerBuilder(sigAlg, digAlg).build(caKey); return certBldr.build(signer); }
From source file:co.runrightfast.core.security.cert.impl.CertificateServiceImplTest.java
License:Apache License
/** * SubjectKeyIdentifier is not allowed to be specified * * @throws NoSuchAlgorithmException// w w w . ja va 2s. c o m * @throws NoSuchProviderException * @throws CertificateExpiredException * @throws CertificateNotYetValidException * @throws CertificateException * @throws InvalidKeyException * @throws SignatureException */ @Test(expected = IllegalArgumentException.class) public void testGenerateX509CertificateV3_intermediateCACertificate_withSubjectKeyIdentifierNoAllowed() throws NoSuchAlgorithmException, NoSuchProviderException, CertificateExpiredException, CertificateNotYetValidException, CertificateException, InvalidKeyException, SignatureException { final DistinguishedName subject = subject(); final X500Principal subjectPrincipal = subject.toX500Principal(); final KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(RSA.name(), BOUNCY_CASTLE); final KeyPair certKeyPair = keyPairGenerator.generateKeyPair(); final CaCert caCert = caCert(); final JcaX509ExtensionUtils extUtils = jcaX509ExtensionUtils(); final ImmutableList<X509CertExtension> x509CertExtensions = ImmutableList.<X509CertExtension>builder() .add(X509CertExtension.builder().oid(Extension.authorityKeyIdentifier) .value(extUtils.createAuthorityKeyIdentifier(caCert.getCert())).critical(false).build()) .add(X509CertExtension.builder().oid(Extension.subjectKeyIdentifier) .value(extUtils.createSubjectKeyIdentifier(certKeyPair.getPublic())).critical(false) .build()) .add(X509CertExtension.builder().oid(Extension.keyUsage) .value(new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign | KeyUsage.cRLSign)) .critical(true).build()) .build(); final X509V3CertRequest request = new X509V3CertRequest(caCert.cert.getIssuerX500Principal(), BigInteger.ONE, Instant.now(), Instant.ofEpochMilli(System.currentTimeMillis() + (10 * 1000)), subjectPrincipal, certKeyPair.getPublic(), x509CertExtensions); }
From source file:co.runrightfast.core.security.cert.impl.CertificateServiceImplTest.java
License:Apache License
@Test public void testGenerateX509CertificateV3_intermediateCACertificate() throws NoSuchAlgorithmException, NoSuchProviderException, CertificateExpiredException, CertificateNotYetValidException, CertificateException, InvalidKeyException, SignatureException, CertificateEncodingException, IOException { final DistinguishedName subject = subject(); final X500Principal subjectPrincipal = subject.toX500Principal(); final KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(RSA.name(), BOUNCY_CASTLE); final KeyPair certKeyPair = keyPairGenerator.generateKeyPair(); final CaCert caCert = caCert(); final JcaX509ExtensionUtils extUtils = jcaX509ExtensionUtils(); final ImmutableList<X509CertExtension> x509CertExtensions = ImmutableList.<X509CertExtension>builder() .add(X509CertExtension.builder().oid(Extension.authorityKeyIdentifier) .value(extUtils.createAuthorityKeyIdentifier(caCert.getCert())).critical(false).build()) .add(X509CertExtension.builder().oid(Extension.keyUsage) .value(new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign | KeyUsage.cRLSign)) .critical(true).build()) .build();//w w w . ja va 2 s .c o m final X509V3CertRequest request = new X509V3CertRequest(caCert.cert.getIssuerX500Principal(), BigInteger.ONE, Instant.now(), Instant.ofEpochMilli(System.currentTimeMillis() + (10 * 1000)), subjectPrincipal, certKeyPair.getPublic(), x509CertExtensions, new BasicConstraints(0)); log.info(String.format("request : %s", request)); final X509Certificate cert = certificateService.generateX509CertificateV3(request, caCert.getPrivateKey()); log.info(String.format("result.getSigAlgName() = %s, result.getVersion() = %s ", cert.getSigAlgName(), cert.getVersion())); assertThat(cert.getVersion(), is(3)); cert.checkValidity(); assertThat(Arrays.areEqual(subjectPrincipal.getEncoded(), cert.getSubjectX500Principal().getEncoded()), is(true)); assertThat(Arrays.areEqual(caCert.getCert().getSubjectX500Principal().getEncoded(), cert.getIssuerX500Principal().getEncoded()), is(true)); cert.verify(caCert.getCert().getPublicKey()); assertThat(cert.getBasicConstraints(), is(0)); checkAuthorityKeyIdentifierExtenstion(cert, caCert); checkSubjectKeyIdentifierExtenstion(cert); }
From source file:co.runrightfast.core.security.cert.impl.CertificateServiceImplTest.java
License:Apache License
@Test public void testGenerateX509CertificateV3_CAIssuedX509V3CertRequest_endCert() throws NoSuchAlgorithmException, NoSuchProviderException, CertificateExpiredException, CertificateNotYetValidException, CertificateException, InvalidKeyException, SignatureException, CertificateEncodingException, IOException { final DistinguishedName subject = subject(); final X500Principal subjectPrincipal = subject.toX500Principal(); final KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(RSA.name(), BOUNCY_CASTLE); final KeyPair certKeyPair = keyPairGenerator.generateKeyPair(); final CaCert caCert = caCert(); final JcaX509ExtensionUtils extUtils = jcaX509ExtensionUtils(); final ImmutableList<X509CertExtension> x509CertExtensions = ImmutableList.<X509CertExtension>builder() .add(X509CertExtension.builder().oid(Extension.keyUsage) .value(new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign | KeyUsage.cRLSign)) .critical(true).build()) .build();/*w ww .j av a 2s .co m*/ final CAIssuedX509V3CertRequest request = new CAIssuedX509V3CertRequest(caCert.cert, BigInteger.ONE, Instant.now(), Instant.ofEpochMilli(System.currentTimeMillis() + (10 * 1000)), subjectPrincipal, certKeyPair.getPublic(), x509CertExtensions); log.info(String.format("request : %s", request)); final X509Certificate cert = certificateService.generateX509CertificateV3(request, caCert.getPrivateKey()); log.info(String.format("result.getSigAlgName() = %s, result.getVersion() = %s ", cert.getSigAlgName(), cert.getVersion())); assertThat(cert.getVersion(), is(3)); cert.checkValidity(); assertThat(Arrays.areEqual(subjectPrincipal.getEncoded(), cert.getSubjectX500Principal().getEncoded()), is(true)); assertThat(Arrays.areEqual(caCert.getCert().getSubjectX500Principal().getEncoded(), cert.getIssuerX500Principal().getEncoded()), is(true)); cert.verify(caCert.getCert().getPublicKey()); assertThat(cert.getBasicConstraints(), is(-1)); checkAuthorityKeyIdentifierExtenstion(cert, caCert); checkSubjectKeyIdentifierExtenstion(cert); }
From source file:co.runrightfast.core.security.cert.impl.CertificateServiceImplTest.java
License:Apache License
@Test(expected = IllegalArgumentException.class) public void testGenerateX509CertificateV3_CAIssuedX509V3CertRequest_withBasicConstraintsExtensionNotAllowed() throws NoSuchAlgorithmException, NoSuchProviderException, CertificateExpiredException, CertificateNotYetValidException, CertificateException, InvalidKeyException, SignatureException { final DistinguishedName subject = subject(); final X500Principal subjectPrincipal = subject.toX500Principal(); final KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(RSA.name(), BOUNCY_CASTLE); final KeyPair certKeyPair = keyPairGenerator.generateKeyPair(); final CaCert caCert = caCert(); final JcaX509ExtensionUtils extUtils = jcaX509ExtensionUtils(); final ImmutableList<X509CertExtension> x509CertExtensions = ImmutableList.<X509CertExtension>builder() .add(X509CertExtension.builder().oid(Extension.keyUsage) .value(new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign | KeyUsage.cRLSign)) .critical(true).build()) .add(X509CertExtension.builder().oid(Extension.basicConstraints).value(new BasicConstraints(0)) .critical(true).build()) .build();/*from w w w. j a v a 2s.c o m*/ final CAIssuedX509V3CertRequest request = new CAIssuedX509V3CertRequest(caCert.cert, BigInteger.ONE, Instant.now(), Instant.ofEpochMilli(System.currentTimeMillis() + (10 * 1000)), subjectPrincipal, certKeyPair.getPublic(), x509CertExtensions); log.info(String.format("request : %s", request)); final X509Certificate cert = certificateService.generateX509CertificateV3(request, caCert.getPrivateKey()); log.info(String.format("result.getSigAlgName() = %s, result.getVersion() = %s ", cert.getSigAlgName(), cert.getVersion())); assertThat(cert.getVersion(), is(3)); cert.checkValidity(); assertThat(Arrays.areEqual(subjectPrincipal.getEncoded(), cert.getSubjectX500Principal().getEncoded()), is(true)); assertThat(Arrays.areEqual(caCert.getCert().getSubjectX500Principal().getEncoded(), cert.getIssuerX500Principal().getEncoded()), is(true)); cert.verify(caCert.getCert().getPublicKey()); }
From source file:co.runrightfast.core.security.cert.impl.CertificateServiceImplTest.java
License:Apache License
@Test(expected = IllegalArgumentException.class) public void testGenerateX509CertificateV3_CAIssuedX509V3CertRequest_withSubjectKeyIdentifierNoAllowed() throws NoSuchAlgorithmException, NoSuchProviderException, CertificateExpiredException, CertificateNotYetValidException, CertificateException, InvalidKeyException, SignatureException { final DistinguishedName subject = subject(); final X500Principal subjectPrincipal = subject.toX500Principal(); final KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(RSA.name(), BOUNCY_CASTLE); final KeyPair certKeyPair = keyPairGenerator.generateKeyPair(); final CaCert caCert = caCert(); final JcaX509ExtensionUtils extUtils = jcaX509ExtensionUtils(); final ImmutableList<X509CertExtension> x509CertExtensions = ImmutableList.<X509CertExtension>builder() .add(X509CertExtension.builder().oid(Extension.subjectKeyIdentifier) .value(extUtils.createSubjectKeyIdentifier(certKeyPair.getPublic())).critical(false) .build())/* w ww . ja va 2s . c om*/ .add(X509CertExtension.builder().oid(Extension.keyUsage) .value(new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign | KeyUsage.cRLSign)) .critical(true).build()) .add(X509CertExtension.builder().oid(Extension.basicConstraints).value(new BasicConstraints(0)) .critical(true).build()) .build(); final CAIssuedX509V3CertRequest request = new CAIssuedX509V3CertRequest(caCert.cert, BigInteger.ONE, Instant.now(), Instant.ofEpochMilli(System.currentTimeMillis() + (10 * 1000)), subjectPrincipal, certKeyPair.getPublic(), x509CertExtensions); }
From source file:co.runrightfast.core.security.cert.impl.CertificateServiceImplTest.java
License:Apache License
@Test(expected = IllegalArgumentException.class) public void testGenerateX509CertificateV3_CAIssuedX509V3CertRequest_withAuthorityKeyIdentifierNotAllowed() throws NoSuchAlgorithmException, NoSuchProviderException, CertificateExpiredException, CertificateNotYetValidException, CertificateException, InvalidKeyException, SignatureException { final DistinguishedName subject = subject(); final X500Principal subjectPrincipal = subject.toX500Principal(); final KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(RSA.name(), BOUNCY_CASTLE); final KeyPair certKeyPair = keyPairGenerator.generateKeyPair(); final CaCert caCert = caCert(); final JcaX509ExtensionUtils extUtils = jcaX509ExtensionUtils(); final ImmutableList<X509CertExtension> x509CertExtensions = ImmutableList.<X509CertExtension>builder() .add(X509CertExtension.builder().oid(Extension.authorityKeyIdentifier) .value(extUtils.createAuthorityKeyIdentifier(caCert.getCert())).critical(false).build()) .add(X509CertExtension.builder().oid(Extension.keyUsage) .value(new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign | KeyUsage.cRLSign)) .critical(true).build()) .add(X509CertExtension.builder().oid(Extension.basicConstraints).value(new BasicConstraints(0)) .critical(true).build()) .build();//w w w.j a va 2s . c o m final CAIssuedX509V3CertRequest request = new CAIssuedX509V3CertRequest(caCert.cert, BigInteger.ONE, Instant.now(), Instant.ofEpochMilli(System.currentTimeMillis() + (10 * 1000)), subjectPrincipal, certKeyPair.getPublic(), x509CertExtensions); }