List of usage examples for org.bouncycastle.asn1.x509 X509Extension keyUsage
ASN1ObjectIdentifier keyUsage
To view the source code for org.bouncycastle.asn1.x509 X509Extension keyUsage.
Click Source Link
From source file:at.asitplus.regkassen.core.modules.signature.rawsignatureprovider.NEVER_USE_IN_A_REAL_SYSTEM_SoftwareCertificateOpenSystemSignatureModule.java
License:Apache License
public void intialise() { try {/* w w w .j a v a 2 s. c om*/ //create random demonstration ECC keys final KeyPairGenerator kpg = KeyPairGenerator.getInstance("EC"); kpg.initialize(256); //256 bit ECDSA key //create a key pair for the demo Certificate Authority final KeyPair caKeyPair = kpg.generateKeyPair(); //create a key pair for the signature certificate, which is going to be used to sign the receipts final KeyPair signingKeyPair = kpg.generateKeyPair(); //get references to private keys for the CA and the signing key final PrivateKey caKey = caKeyPair.getPrivate(); signingKey = signingKeyPair.getPrivate(); //create CA certificate and add it to the certificate chain //NOTE: DO NEVER EVER USE IN A REAL CASHBOX, THIS IS JUST FOR DEMONSTRATION PURPOSES //NOTE: these certificates have random values, just for the demonstration purposes here //However, for testing purposes the most important feature is the EC256 Signing Key, since this is required //by the RK Suite final X509v3CertificateBuilder caBuilder = new X509v3CertificateBuilder(new X500Name("CN=RegKassa ZDA"), BigInteger.valueOf(new SecureRandom().nextLong()), new Date(System.currentTimeMillis() - 10000), new Date(System.currentTimeMillis() + 24L * 3600 * 1000), new X500Name("CN=RegKassa CA"), SubjectPublicKeyInfo.getInstance(caKeyPair.getPublic().getEncoded())); caBuilder.addExtension(X509Extension.basicConstraints, true, new BasicConstraints(false)); caBuilder.addExtension(X509Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature)); final X509CertificateHolder caHolder = caBuilder .build(new JcaContentSignerBuilder("SHA256withECDSA").setProvider("BC").build(caKey)); final X509Certificate caCertificate = new JcaX509CertificateConverter().setProvider("BC") .getCertificate(caHolder); certificateChain = new ArrayList<java.security.cert.Certificate>(); certificateChain.add(caCertificate); //create signing cert final long serialNumberCertificate = new SecureRandom().nextLong(); if (!closedSystemSignatureDevice) { serialNumberOrKeyId = Long.toHexString(serialNumberCertificate); } final X509v3CertificateBuilder certBuilder = new X509v3CertificateBuilder( new X500Name("CN=RegKassa CA"), BigInteger.valueOf(Math.abs(serialNumberCertificate)), new Date(System.currentTimeMillis() - 10000), new Date(System.currentTimeMillis() + 24L * 3600 * 1000), new X500Name("CN=Signing certificate"), SubjectPublicKeyInfo.getInstance(signingKeyPair.getPublic().getEncoded())); certBuilder.addExtension(X509Extension.basicConstraints, true, new BasicConstraints(false)); certBuilder.addExtension(X509Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature)); final X509CertificateHolder certHolder = certBuilder .build(new JcaContentSignerBuilder("SHA256withECDSA").setProvider("BC").build(caKey)); signingCertificate = new JcaX509CertificateConverter().setProvider("BC").getCertificate(certHolder); } catch (final NoSuchAlgorithmException e) { e.printStackTrace(); } catch (final OperatorCreationException e) { e.printStackTrace(); } catch (final CertIOException e) { e.printStackTrace(); } catch (final CertificateException e) { e.printStackTrace(); } }
From source file:com.gitblit.utils.X509Utils.java
License:Apache License
/** * Creates a new certificate authority PKCS#12 store. This function will * destroy any existing CA store./*from w w w .ja va 2 s . c om*/ * * @param metadata * @param storeFile * @param keystorePassword * @param x509log * @return */ public static X509Certificate newCertificateAuthority(X509Metadata metadata, File storeFile, X509Log x509log) { try { KeyPair caPair = newKeyPair(); ContentSigner caSigner = new JcaContentSignerBuilder(SIGNING_ALGORITHM).setProvider(BC) .build(caPair.getPrivate()); // clone metadata X509Metadata caMetadata = metadata.clone(CA_CN, metadata.password); X500Name issuerDN = buildDistinguishedName(caMetadata); // Generate self-signed certificate X509v3CertificateBuilder caBuilder = new JcaX509v3CertificateBuilder(issuerDN, BigInteger.valueOf(System.currentTimeMillis()), caMetadata.notBefore, caMetadata.notAfter, issuerDN, caPair.getPublic()); JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils(); caBuilder.addExtension(X509Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(caPair.getPublic())); caBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caPair.getPublic())); caBuilder.addExtension(X509Extension.basicConstraints, false, new BasicConstraints(true)); caBuilder.addExtension(X509Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign | KeyUsage.cRLSign)); JcaX509CertificateConverter converter = new JcaX509CertificateConverter().setProvider(BC); X509Certificate cert = converter.getCertificate(caBuilder.build(caSigner)); // confirm the validity of the CA certificate cert.checkValidity(new Date()); cert.verify(cert.getPublicKey()); // Delete existing keystore if (storeFile.exists()) { storeFile.delete(); } // Save private key and certificate to new keystore KeyStore store = openKeyStore(storeFile, caMetadata.password); store.setKeyEntry(CA_ALIAS, caPair.getPrivate(), caMetadata.password.toCharArray(), new Certificate[] { cert }); saveKeyStore(storeFile, store, caMetadata.password); x509log.log(MessageFormat.format("New CA certificate {0,number,0} [{1}]", cert.getSerialNumber(), cert.getIssuerDN().getName())); // update serial number in metadata object caMetadata.serialNumber = cert.getSerialNumber().toString(); return cert; } catch (Throwable t) { throw new RuntimeException("Failed to generate Gitblit CA certificate!", t); } }
From source file:com.gitblit.utils.X509Utils.java
License:Apache License
/** * Creates a new client certificate PKCS#12 and PEM store. Any existing * stores are destroyed./*w w w . j av a 2s . c o m*/ * * @param clientMetadata a container for dynamic parameters needed for generation * @param caKeystoreFile * @param caKeystorePassword * @param targetFolder * @return */ public static X509Certificate newClientCertificate(X509Metadata clientMetadata, PrivateKey caPrivateKey, X509Certificate caCert, File targetFolder) { try { KeyPair pair = newKeyPair(); X500Name userDN = buildDistinguishedName(clientMetadata); X500Name issuerDN = new X500Name(PrincipalUtil.getIssuerX509Principal(caCert).getName()); // create a new certificate signed by the Gitblit CA certificate X509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(issuerDN, BigInteger.valueOf(System.currentTimeMillis()), clientMetadata.notBefore, clientMetadata.notAfter, userDN, pair.getPublic()); JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils(); certBuilder.addExtension(X509Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(pair.getPublic())); certBuilder.addExtension(X509Extension.basicConstraints, false, new BasicConstraints(false)); certBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCert.getPublicKey())); certBuilder.addExtension(X509Extension.keyUsage, true, new KeyUsage(KeyUsage.keyEncipherment | KeyUsage.digitalSignature)); if (!StringUtils.isEmpty(clientMetadata.emailAddress)) { GeneralNames subjectAltName = new GeneralNames( new GeneralName(GeneralName.rfc822Name, clientMetadata.emailAddress)); certBuilder.addExtension(X509Extension.subjectAlternativeName, false, subjectAltName); } ContentSigner signer = new JcaContentSignerBuilder(SIGNING_ALGORITHM).setProvider(BC) .build(caPrivateKey); X509Certificate userCert = new JcaX509CertificateConverter().setProvider(BC) .getCertificate(certBuilder.build(signer)); PKCS12BagAttributeCarrier bagAttr = (PKCS12BagAttributeCarrier) pair.getPrivate(); bagAttr.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_localKeyId, extUtils.createSubjectKeyIdentifier(pair.getPublic())); // confirm the validity of the user certificate userCert.checkValidity(); userCert.verify(caCert.getPublicKey()); userCert.getIssuerDN().equals(caCert.getSubjectDN()); // verify user certificate chain verifyChain(userCert, caCert); targetFolder.mkdirs(); // save certificate, stamped with unique name String date = new SimpleDateFormat("yyyyMMdd").format(new Date()); String id = date; File certFile = new File(targetFolder, id + ".cer"); int count = 0; while (certFile.exists()) { id = date + "_" + Character.toString((char) (0x61 + count)); certFile = new File(targetFolder, id + ".cer"); count++; } // save user private key, user certificate and CA certificate to a PKCS#12 store File p12File = new File(targetFolder, clientMetadata.commonName + ".p12"); if (p12File.exists()) { p12File.delete(); } KeyStore userStore = openKeyStore(p12File, clientMetadata.password); userStore.setKeyEntry( MessageFormat.format("Gitblit ({0}) {1} {2}", clientMetadata.serverHostname, clientMetadata.userDisplayname, id), pair.getPrivate(), null, new Certificate[] { userCert }); userStore.setCertificateEntry( MessageFormat.format("Gitblit ({0}) Certificate Authority", clientMetadata.serverHostname), caCert); saveKeyStore(p12File, userStore, clientMetadata.password); // save user private key, user certificate, and CA certificate to a PEM store File pemFile = new File(targetFolder, clientMetadata.commonName + ".pem"); if (pemFile.exists()) { pemFile.delete(); } JcePEMEncryptorBuilder builder = new JcePEMEncryptorBuilder("DES-EDE3-CBC"); builder.setSecureRandom(new SecureRandom()); PEMEncryptor pemEncryptor = builder.build(clientMetadata.password.toCharArray()); JcaPEMWriter pemWriter = new JcaPEMWriter(new FileWriter(pemFile)); pemWriter.writeObject(pair.getPrivate(), pemEncryptor); pemWriter.writeObject(userCert); pemWriter.writeObject(caCert); pemWriter.flush(); pemWriter.close(); // save certificate after successfully creating the key stores saveCertificate(userCert, certFile); // update serial number in metadata object clientMetadata.serialNumber = userCert.getSerialNumber().toString(); return userCert; } catch (Throwable t) { throw new RuntimeException("Failed to generate client certificate!", t); } }
From source file:com.rcn.service.CertificateService.java
License:Open Source License
private void addCaExtension(JcaX509v3CertificateBuilder v3CertGen) { v3CertGen.addExtension(X509Extension.basicConstraints, false, new BasicConstraints(true)); v3CertGen.addExtension(X509Extension.keyUsage, false, new KeyUsage(KeyUsage.keyCertSign | KeyUsage.cRLSign)); ASN1EncodableVector intPolicies = new ASN1EncodableVector(); intPolicies.add(new PolicyInformation(new DERObjectIdentifier(ANY_POLICY))); v3CertGen.addExtension(X509Extension.certificatePolicies, false, new DERSequence(intPolicies)); }
From source file:com.rcn.service.CertificateService.java
License:Open Source License
private void addRegularExtension(Optional<GeneralNames> generalNames, JcaX509v3CertificateBuilder v3CertGen) { v3CertGen.addExtension(X509Extension.keyUsage, false, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment)); Vector<KeyPurposeId> authTypes = new Vector<>(); authTypes.add(KeyPurposeId.id_kp_clientAuth); authTypes.add(KeyPurposeId.id_kp_serverAuth); v3CertGen.addExtension(X509Extension.extendedKeyUsage, false, new ExtendedKeyUsage(authTypes)); generalNames.ifPresent(n -> v3CertGen.addExtension(X509Extension.subjectAlternativeName, false, n)); }
From source file:eu.optimis.ics.BrokerVPNCredentials.BrokerCA.java
License:Open Source License
public byte[] getSignedCertificateBytes(byte[] sentCSRBytes) { X509CertificateHolder certHolder = null; byte[] result = null; try {// ww w . j a v a 2s . c o m PKCS10CertificationRequest certRequest = new PKCS10CertificationRequest(sentCSRBytes); PEMReader r = new PEMReader(new FileReader(caPath + "ca.crt")); X509Certificate rootCert = (X509Certificate) r.readObject(); r.close(); X500Name subject = certRequest.getSubject(); MessageDigest m = MessageDigest.getInstance("MD5"); m.update(subject.toString().getBytes(), 0, subject.toString().length()); BigInteger serial = new BigInteger(m.digest()); Date notBefore = new Date(System.currentTimeMillis() - 1000L * 60 * 60 * 24 * 30); Date notAfter = new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 365)); SubjectPublicKeyInfo publicKeyInfo = certRequest.getSubjectPublicKeyInfo(); X500Name issuer = new X500Name(rootCert.getSubjectDN().toString()); X509v3CertificateBuilder v3CertBuilder = new X509v3CertificateBuilder(issuer, serial, notBefore, notAfter, subject, publicKeyInfo); v3CertBuilder.addExtension(X509Extension.subjectKeyIdentifier, false, new JcaX509ExtensionUtils().createSubjectKeyIdentifier(publicKeyInfo)); v3CertBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(rootCert)); v3CertBuilder.addExtension(X509Extension.basicConstraints, false, new BasicConstraints(false)); v3CertBuilder.addExtension(X509Extension.extendedKeyUsage, false, new ExtendedKeyUsage(KeyPurposeId.id_kp_ipsecEndSystem)); v3CertBuilder.addExtension(X509Extension.keyUsage, false, new KeyUsage(KeyUsage.digitalSignature)); ContentSigner sigGen = new JcaContentSignerBuilder("SHA1withRSA").setProvider("BC") .build(loadCAPrivateKey(caPath)); certHolder = v3CertBuilder.build(sigGen); result = certHolder.getEncoded(); } catch (Exception e) { e.printStackTrace(); } return result; }
From source file:eu.optimis.ics.Credentials.CertificateGenerator.java
License:Open Source License
public static X509CertificateHolder genServerCertificate(PKCS10CertificationRequest certRequest, String credPath) {/* w w w . java2 s .c o m*/ X509v3CertificateBuilder v3CertBuilder = null; ContentSigner sigGen = null; try { PEMReader r = new PEMReader(new FileReader(credPath + "ca.crt")); X509Certificate rootCert = (X509Certificate) r.readObject(); r.close(); BigInteger serial = BigInteger.ONE; Date notBefore = new Date(System.currentTimeMillis() - 1000L * 60 * 60 * 24 * 30); Date notAfter = new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 365 * 10)); SubjectPublicKeyInfo publicKeyInfo = SubjectPublicKeyInfo .getInstance(certRequest.getPublicKey().getEncoded()); X500Name issuer = new X500Name(rootCert.getSubjectDN().toString()); System.out.println(issuer.toString()); @SuppressWarnings("deprecation") X500Name subject = new X500Name(certRequest.getCertificationRequestInfo().getSubject().toString()); v3CertBuilder = new X509v3CertificateBuilder(issuer, serial, notBefore, notAfter, subject, publicKeyInfo); v3CertBuilder.addExtension(X509Extension.subjectKeyIdentifier, false, new SubjectKeyIdentifier(publicKeyInfo)); v3CertBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(rootCert)); v3CertBuilder.addExtension(X509Extension.basicConstraints, false, new BasicConstraints(false)); v3CertBuilder.addExtension(X509Extension.extendedKeyUsage, false, new ExtendedKeyUsage(KeyPurposeId.id_kp_serverAuth)); v3CertBuilder.addExtension(X509Extension.keyUsage, false, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment)); sigGen = new JcaContentSignerBuilder("SHA1withRSA").setProvider("BC").build(loadCAPrivateKey(credPath)); } catch (IOException ioe) { ioe.printStackTrace(); } catch (InvalidKeyException e) { e.printStackTrace(); } catch (NoSuchAlgorithmException e) { e.printStackTrace(); } catch (NoSuchProviderException e) { e.printStackTrace(); } catch (OperatorCreationException e) { e.printStackTrace(); } catch (InvalidKeySpecException e) { e.printStackTrace(); } catch (CertificateParsingException e) { e.printStackTrace(); } return v3CertBuilder.build(sigGen); }
From source file:eu.optimis.ics.Credentials.CertificateGenerator.java
License:Open Source License
public static X509CertificateHolder genClientCertificate(PKCS10CertificationRequest certRequest, String credPath) throws Exception { PEMReader r = new PEMReader(new FileReader(credPath + "ca.crt")); X509Certificate rootCert = (X509Certificate) r.readObject(); r.close();//from w w w .j a v a 2s .co m BigInteger serial = BigInteger.valueOf(2).abs(); Date notBefore = new Date(System.currentTimeMillis() - 1000L * 60 * 60 * 24 * 30); Date notAfter = new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 365 * 10)); SubjectPublicKeyInfo publicKeyInfo = SubjectPublicKeyInfo .getInstance(certRequest.getPublicKey().getEncoded()); X500Name issuer = new X500Name(rootCert.getSubjectDN().toString()); @SuppressWarnings("deprecation") X500Name subject = new X500Name(certRequest.getCertificationRequestInfo().getSubject().toString()); X509v3CertificateBuilder v3CertBuilder = new X509v3CertificateBuilder(issuer, serial, notBefore, notAfter, subject, publicKeyInfo); v3CertBuilder.addExtension(X509Extension.subjectKeyIdentifier, false, new SubjectKeyIdentifier(publicKeyInfo)); v3CertBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(rootCert)); v3CertBuilder.addExtension(X509Extension.basicConstraints, false, new BasicConstraints(false)); v3CertBuilder.addExtension(X509Extension.extendedKeyUsage, false, new ExtendedKeyUsage(KeyPurposeId.id_kp_clientAuth)); v3CertBuilder.addExtension(X509Extension.keyUsage, false, new KeyUsage(KeyUsage.digitalSignature)); ContentSigner sigGen = null; try { sigGen = new JcaContentSignerBuilder("SHA1withRSA").setProvider("BC").build(loadCAPrivateKey(credPath)); } catch (OperatorCreationException e) { e.printStackTrace(); } return v3CertBuilder.build(sigGen); }
From source file:fathom.x509.X509Utils.java
License:Apache License
/** * Creates a new certificate authority PKCS#12 store. This function will * destroy any existing CA store.//from ww w.j a v a 2s . co m * * @param metadata * @param storeFile * @param x509log * @return */ public static X509Certificate newCertificateAuthority(X509Metadata metadata, File storeFile, X509Log x509log) { try { KeyPair caPair = newKeyPair(); ContentSigner caSigner = new JcaContentSignerBuilder(SIGNING_ALGORITHM).setProvider(BC) .build(caPair.getPrivate()); // clone metadata X509Metadata caMetadata = metadata.clone(CA_CN, metadata.password); X500Name issuerDN = buildDistinguishedName(caMetadata); // Generate self-signed certificate X509v3CertificateBuilder caBuilder = new JcaX509v3CertificateBuilder(issuerDN, BigInteger.valueOf(System.currentTimeMillis()), caMetadata.notBefore, caMetadata.notAfter, issuerDN, caPair.getPublic()); JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils(); caBuilder.addExtension(X509Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(caPair.getPublic())); caBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caPair.getPublic())); caBuilder.addExtension(X509Extension.basicConstraints, false, new BasicConstraints(true)); caBuilder.addExtension(X509Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign | KeyUsage.cRLSign)); JcaX509CertificateConverter converter = new JcaX509CertificateConverter().setProvider(BC); X509Certificate cert = converter.getCertificate(caBuilder.build(caSigner)); // confirm the validity of the CA certificate cert.checkValidity(new Date()); cert.verify(cert.getPublicKey()); // Delete existing keystore if (storeFile.exists()) { storeFile.delete(); } // Save private key and certificate to new keystore KeyStore store = openKeyStore(storeFile, caMetadata.password); store.setKeyEntry(CA_ALIAS, caPair.getPrivate(), caMetadata.password.toCharArray(), new Certificate[] { cert }); saveKeyStore(storeFile, store, caMetadata.password); x509log.log(MessageFormat.format("New CA certificate {0,number,0} [{1}]", cert.getSerialNumber(), cert.getIssuerDN().getName())); // update serial number in metadata object caMetadata.serialNumber = cert.getSerialNumber().toString(); return cert; } catch (Throwable t) { throw new RuntimeException("Failed to generate Fathom CA certificate!", t); } }
From source file:fathom.x509.X509Utils.java
License:Apache License
/** * Creates a new client certificate PKCS#12 and PEM store. Any existing * stores are destroyed.//ww w . ja va 2 s. com * * @param clientMetadata a container for dynamic parameters needed for generation * @param caPrivateKey * @param caCert * @param targetFolder * @return */ public static X509Certificate newClientCertificate(X509Metadata clientMetadata, PrivateKey caPrivateKey, X509Certificate caCert, File targetFolder) { try { KeyPair pair = newKeyPair(); X500Name userDN = buildDistinguishedName(clientMetadata); X500Name issuerDN = new X500Name(PrincipalUtil.getIssuerX509Principal(caCert).getName()); // create a new certificate signed by the Fathom CA certificate X509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(issuerDN, BigInteger.valueOf(System.currentTimeMillis()), clientMetadata.notBefore, clientMetadata.notAfter, userDN, pair.getPublic()); JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils(); certBuilder.addExtension(X509Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(pair.getPublic())); certBuilder.addExtension(X509Extension.basicConstraints, false, new BasicConstraints(false)); certBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCert.getPublicKey())); certBuilder.addExtension(X509Extension.keyUsage, true, new KeyUsage(KeyUsage.keyEncipherment | KeyUsage.digitalSignature)); if (!Strings.isNullOrEmpty(clientMetadata.emailAddress)) { GeneralNames subjectAltName = new GeneralNames( new GeneralName(GeneralName.rfc822Name, clientMetadata.emailAddress)); certBuilder.addExtension(X509Extension.subjectAlternativeName, false, subjectAltName); } ContentSigner signer = new JcaContentSignerBuilder(SIGNING_ALGORITHM).setProvider(BC) .build(caPrivateKey); X509Certificate userCert = new JcaX509CertificateConverter().setProvider(BC) .getCertificate(certBuilder.build(signer)); PKCS12BagAttributeCarrier bagAttr = (PKCS12BagAttributeCarrier) pair.getPrivate(); bagAttr.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_localKeyId, extUtils.createSubjectKeyIdentifier(pair.getPublic())); // confirm the validity of the user certificate userCert.checkValidity(); userCert.verify(caCert.getPublicKey()); userCert.getIssuerDN().equals(caCert.getSubjectDN()); // verify user certificate chain verifyChain(userCert, caCert); targetFolder.mkdirs(); // save certificate, stamped with unique name String date = new SimpleDateFormat("yyyyMMdd").format(new Date()); String id = date; File certFile = new File(targetFolder, id + ".cer"); int count = 0; while (certFile.exists()) { id = date + "_" + Character.toString((char) (0x61 + count)); certFile = new File(targetFolder, id + ".cer"); count++; } // save user private key, user certificate and CA certificate to a PKCS#12 store File p12File = new File(targetFolder, clientMetadata.commonName + ".p12"); if (p12File.exists()) { p12File.delete(); } KeyStore userStore = openKeyStore(p12File, clientMetadata.password); userStore.setKeyEntry( MessageFormat.format("Fathom ({0}) {1} {2}", clientMetadata.serverHostname, clientMetadata.userDisplayname, id), pair.getPrivate(), null, new Certificate[] { userCert }); userStore.setCertificateEntry( MessageFormat.format("Fathom ({0}) Certificate Authority", clientMetadata.serverHostname), caCert); saveKeyStore(p12File, userStore, clientMetadata.password); // save user private key, user certificate, and CA certificate to a PEM store File pemFile = new File(targetFolder, clientMetadata.commonName + ".pem"); if (pemFile.exists()) { pemFile.delete(); } PEMWriter pemWriter = new PEMWriter(new FileWriter(pemFile)); pemWriter.writeObject(pair.getPrivate(), "DES-EDE3-CBC", clientMetadata.password.toCharArray(), new SecureRandom()); pemWriter.writeObject(userCert); pemWriter.writeObject(caCert); pemWriter.flush(); pemWriter.close(); // save certificate after successfully creating the key stores saveCertificate(userCert, certFile); // update serial number in metadata object clientMetadata.serialNumber = userCert.getSerialNumber().toString(); return userCert; } catch (Throwable t) { throw new RuntimeException("Failed to generate client certificate!", t); } }