List of usage examples for org.bouncycastle.cert.jcajce JcaX509ExtensionUtils createAuthorityKeyIdentifier
public AuthorityKeyIdentifier createAuthorityKeyIdentifier(PublicKey pubKey)
From source file:be.fedict.trust.test.PKITestUtils.java
License:Open Source License
public static X509Certificate generateCertificate(PublicKey subjectPublicKey, String subjectDn, DateTime notBefore, DateTime notAfter, X509Certificate issuerCertificate, PrivateKey issuerPrivateKey, boolean caFlag, int pathLength, String crlUri, String ocspUri, KeyUsage keyUsage, String signatureAlgorithm, boolean tsa, boolean includeSKID, boolean includeAKID, PublicKey akidPublicKey, String certificatePolicy, Boolean qcCompliance, boolean ocspResponder, boolean qcSSCD) throws IOException, InvalidKeyException, IllegalStateException, NoSuchAlgorithmException, SignatureException, CertificateException, OperatorCreationException { X500Name issuerName;/*w w w . jav a 2 s . co m*/ if (null != issuerCertificate) { issuerName = new X500Name(issuerCertificate.getSubjectX500Principal().toString()); } else { issuerName = new X500Name(subjectDn); } X500Name subjectName = new X500Name(subjectDn); BigInteger serial = new BigInteger(128, new SecureRandom()); SubjectPublicKeyInfo publicKeyInfo = SubjectPublicKeyInfo.getInstance(subjectPublicKey.getEncoded()); X509v3CertificateBuilder x509v3CertificateBuilder = new X509v3CertificateBuilder(issuerName, serial, notBefore.toDate(), notAfter.toDate(), subjectName, publicKeyInfo); JcaX509ExtensionUtils extensionUtils = new JcaX509ExtensionUtils(); if (includeSKID) { x509v3CertificateBuilder.addExtension(Extension.subjectKeyIdentifier, false, extensionUtils.createSubjectKeyIdentifier(subjectPublicKey)); } if (includeAKID) { PublicKey authorityPublicKey; if (null != akidPublicKey) { authorityPublicKey = akidPublicKey; } else if (null != issuerCertificate) { authorityPublicKey = issuerCertificate.getPublicKey(); } else { authorityPublicKey = subjectPublicKey; } x509v3CertificateBuilder.addExtension(Extension.authorityKeyIdentifier, false, extensionUtils.createAuthorityKeyIdentifier(authorityPublicKey)); } if (caFlag) { if (-1 == pathLength) { x509v3CertificateBuilder.addExtension(Extension.basicConstraints, true, new BasicConstraints(2147483647)); } else { x509v3CertificateBuilder.addExtension(Extension.basicConstraints, true, new BasicConstraints(pathLength)); } } if (null != crlUri) { GeneralName generalName = new GeneralName(GeneralName.uniformResourceIdentifier, new DERIA5String(crlUri)); GeneralNames generalNames = new GeneralNames(generalName); DistributionPointName distPointName = new DistributionPointName(generalNames); DistributionPoint distPoint = new DistributionPoint(distPointName, null, null); DistributionPoint[] crlDistPoints = new DistributionPoint[] { distPoint }; CRLDistPoint crlDistPoint = new CRLDistPoint(crlDistPoints); x509v3CertificateBuilder.addExtension(Extension.cRLDistributionPoints, false, crlDistPoint); } if (null != ocspUri) { GeneralName ocspName = new GeneralName(GeneralName.uniformResourceIdentifier, ocspUri); AuthorityInformationAccess authorityInformationAccess = new AuthorityInformationAccess( X509ObjectIdentifiers.ocspAccessMethod, ocspName); x509v3CertificateBuilder.addExtension(Extension.authorityInfoAccess, false, authorityInformationAccess); } if (null != keyUsage) { x509v3CertificateBuilder.addExtension(Extension.keyUsage, true, keyUsage); } if (null != certificatePolicy) { ASN1ObjectIdentifier policyObjectIdentifier = new ASN1ObjectIdentifier(certificatePolicy); PolicyInformation policyInformation = new PolicyInformation(policyObjectIdentifier); x509v3CertificateBuilder.addExtension(Extension.certificatePolicies, false, new DERSequence(policyInformation)); } if (null != qcCompliance) { ASN1EncodableVector vec = new ASN1EncodableVector(); if (qcCompliance) { vec.add(new QCStatement(QCStatement.id_etsi_qcs_QcCompliance)); } else { vec.add(new QCStatement(QCStatement.id_etsi_qcs_RetentionPeriod)); } if (qcSSCD) { vec.add(new QCStatement(QCStatement.id_etsi_qcs_QcSSCD)); } x509v3CertificateBuilder.addExtension(Extension.qCStatements, true, new DERSequence(vec)); } if (tsa) { x509v3CertificateBuilder.addExtension(Extension.extendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_timeStamping)); } if (ocspResponder) { x509v3CertificateBuilder.addExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nocheck, false, DERNull.INSTANCE); x509v3CertificateBuilder.addExtension(Extension.extendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_OCSPSigning)); } AlgorithmIdentifier sigAlgId = new DefaultSignatureAlgorithmIdentifierFinder().find(signatureAlgorithm); AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId); AsymmetricKeyParameter asymmetricKeyParameter = PrivateKeyFactory.createKey(issuerPrivateKey.getEncoded()); ContentSigner contentSigner = new BcRSAContentSignerBuilder(sigAlgId, digAlgId) .build(asymmetricKeyParameter); X509CertificateHolder x509CertificateHolder = x509v3CertificateBuilder.build(contentSigner); byte[] encodedCertificate = x509CertificateHolder.getEncoded(); CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); X509Certificate certificate = (X509Certificate) certificateFactory .generateCertificate(new ByteArrayInputStream(encodedCertificate)); return certificate; }
From source file:be.fedict.trust.test.PKITestUtils.java
License:Open Source License
public static X509CRL generateCrl(PrivateKey issuerPrivateKey, X509Certificate issuerCertificate, DateTime thisUpdate, DateTime nextUpdate, List<String> deltaCrlUris, boolean deltaCrl, List<RevokedCertificate> revokedCertificates, String signatureAlgorithm, long numberOfRevokedCertificates) throws InvalidKeyException, CRLException, IllegalStateException, NoSuchAlgorithmException, SignatureException, CertificateException, IOException, OperatorCreationException { X500Name issuerName = new X500Name(issuerCertificate.getSubjectX500Principal().toString()); X509v2CRLBuilder x509v2crlBuilder = new X509v2CRLBuilder(issuerName, thisUpdate.toDate()); x509v2crlBuilder.setNextUpdate(nextUpdate.toDate()); for (RevokedCertificate revokedCertificate : revokedCertificates) { x509v2crlBuilder.addCRLEntry(revokedCertificate.serialNumber, revokedCertificate.revocationDate.toDate(), CRLReason.privilegeWithdrawn); }/* w ww . j a v a 2 s . c o m*/ if (-1 != numberOfRevokedCertificates) { SecureRandom secureRandom = new SecureRandom(); while (numberOfRevokedCertificates-- > 0) { BigInteger serialNumber = new BigInteger(128, secureRandom); Date revocationDate = new Date(); x509v2crlBuilder.addCRLEntry(serialNumber, revocationDate, CRLReason.privilegeWithdrawn); } } JcaX509ExtensionUtils extensionUtils = new JcaX509ExtensionUtils(); x509v2crlBuilder.addExtension(Extension.authorityKeyIdentifier, false, extensionUtils.createAuthorityKeyIdentifier(issuerCertificate)); x509v2crlBuilder.addExtension(Extension.cRLNumber, false, new CRLNumber(BigInteger.ONE)); if (null != deltaCrlUris && !deltaCrlUris.isEmpty()) { DistributionPoint[] deltaCrlDps = new DistributionPoint[deltaCrlUris.size()]; for (int i = 0; i < deltaCrlUris.size(); i++) { deltaCrlDps[i] = getDistributionPoint(deltaCrlUris.get(i)); } CRLDistPoint crlDistPoint = new CRLDistPoint((DistributionPoint[]) deltaCrlDps); x509v2crlBuilder.addExtension(Extension.freshestCRL, false, crlDistPoint); } if (deltaCrl) { x509v2crlBuilder.addExtension(Extension.deltaCRLIndicator, true, new CRLNumber(BigInteger.ONE)); } AlgorithmIdentifier sigAlgId = new DefaultSignatureAlgorithmIdentifierFinder().find(signatureAlgorithm); AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId); AsymmetricKeyParameter asymmetricKeyParameter = PrivateKeyFactory.createKey(issuerPrivateKey.getEncoded()); ContentSigner contentSigner = new BcRSAContentSignerBuilder(sigAlgId, digAlgId) .build(asymmetricKeyParameter); X509CRLHolder x509crlHolder = x509v2crlBuilder.build(contentSigner); byte[] crlValue = x509crlHolder.getEncoded(); CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); X509CRL crl = (X509CRL) certificateFactory.generateCRL(new ByteArrayInputStream(crlValue)); return crl; }
From source file:co.runrightfast.core.security.cert.CAIssuedX509V3CertRequest.java
License:Apache License
private Collection<X509CertExtension> augmentExtensions(final Collection<X509CertExtension> extensions, final X509Certificate caCert) { final JcaX509ExtensionUtils extUtils = jcaX509ExtensionUtils(); final ImmutableList.Builder<X509CertExtension> x509CertExtensions = ImmutableList .<X509CertExtension>builder().addAll(extensions); try {/*from ww w .j a v a 2 s . c om*/ x509CertExtensions.add(X509CertExtension.builder().oid(Extension.authorityKeyIdentifier) .value(extUtils.createAuthorityKeyIdentifier(caCert)).critical(false).build()); } catch (final CertificateEncodingException ex) { throw new ApplicationException(ex); } return x509CertExtensions.build(); }
From source file:co.runrightfast.core.security.cert.impl.CertificateServiceImplTest.java
License:Apache License
/** * SubjectKeyIdentifier is not allowed to be specified * * @throws NoSuchAlgorithmException//from w w w.j a v a 2 s .co m * @throws NoSuchProviderException * @throws CertificateExpiredException * @throws CertificateNotYetValidException * @throws CertificateException * @throws InvalidKeyException * @throws SignatureException */ @Test(expected = IllegalArgumentException.class) public void testGenerateX509CertificateV3_intermediateCACertificate_withSubjectKeyIdentifierNoAllowed() throws NoSuchAlgorithmException, NoSuchProviderException, CertificateExpiredException, CertificateNotYetValidException, CertificateException, InvalidKeyException, SignatureException { final DistinguishedName subject = subject(); final X500Principal subjectPrincipal = subject.toX500Principal(); final KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(RSA.name(), BOUNCY_CASTLE); final KeyPair certKeyPair = keyPairGenerator.generateKeyPair(); final CaCert caCert = caCert(); final JcaX509ExtensionUtils extUtils = jcaX509ExtensionUtils(); final ImmutableList<X509CertExtension> x509CertExtensions = ImmutableList.<X509CertExtension>builder() .add(X509CertExtension.builder().oid(Extension.authorityKeyIdentifier) .value(extUtils.createAuthorityKeyIdentifier(caCert.getCert())).critical(false).build()) .add(X509CertExtension.builder().oid(Extension.subjectKeyIdentifier) .value(extUtils.createSubjectKeyIdentifier(certKeyPair.getPublic())).critical(false) .build()) .add(X509CertExtension.builder().oid(Extension.keyUsage) .value(new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign | KeyUsage.cRLSign)) .critical(true).build()) .build(); final X509V3CertRequest request = new X509V3CertRequest(caCert.cert.getIssuerX500Principal(), BigInteger.ONE, Instant.now(), Instant.ofEpochMilli(System.currentTimeMillis() + (10 * 1000)), subjectPrincipal, certKeyPair.getPublic(), x509CertExtensions); }
From source file:co.runrightfast.core.security.cert.impl.CertificateServiceImplTest.java
License:Apache License
@Test public void testGenerateX509CertificateV3_intermediateCACertificate() throws NoSuchAlgorithmException, NoSuchProviderException, CertificateExpiredException, CertificateNotYetValidException, CertificateException, InvalidKeyException, SignatureException, CertificateEncodingException, IOException { final DistinguishedName subject = subject(); final X500Principal subjectPrincipal = subject.toX500Principal(); final KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(RSA.name(), BOUNCY_CASTLE); final KeyPair certKeyPair = keyPairGenerator.generateKeyPair(); final CaCert caCert = caCert(); final JcaX509ExtensionUtils extUtils = jcaX509ExtensionUtils(); final ImmutableList<X509CertExtension> x509CertExtensions = ImmutableList.<X509CertExtension>builder() .add(X509CertExtension.builder().oid(Extension.authorityKeyIdentifier) .value(extUtils.createAuthorityKeyIdentifier(caCert.getCert())).critical(false).build()) .add(X509CertExtension.builder().oid(Extension.keyUsage) .value(new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign | KeyUsage.cRLSign)) .critical(true).build()) .build();// w ww . j a va 2 s.c om final X509V3CertRequest request = new X509V3CertRequest(caCert.cert.getIssuerX500Principal(), BigInteger.ONE, Instant.now(), Instant.ofEpochMilli(System.currentTimeMillis() + (10 * 1000)), subjectPrincipal, certKeyPair.getPublic(), x509CertExtensions, new BasicConstraints(0)); log.info(String.format("request : %s", request)); final X509Certificate cert = certificateService.generateX509CertificateV3(request, caCert.getPrivateKey()); log.info(String.format("result.getSigAlgName() = %s, result.getVersion() = %s ", cert.getSigAlgName(), cert.getVersion())); assertThat(cert.getVersion(), is(3)); cert.checkValidity(); assertThat(Arrays.areEqual(subjectPrincipal.getEncoded(), cert.getSubjectX500Principal().getEncoded()), is(true)); assertThat(Arrays.areEqual(caCert.getCert().getSubjectX500Principal().getEncoded(), cert.getIssuerX500Principal().getEncoded()), is(true)); cert.verify(caCert.getCert().getPublicKey()); assertThat(cert.getBasicConstraints(), is(0)); checkAuthorityKeyIdentifierExtenstion(cert, caCert); checkSubjectKeyIdentifierExtenstion(cert); }
From source file:co.runrightfast.core.security.cert.impl.CertificateServiceImplTest.java
License:Apache License
@Test(expected = IllegalArgumentException.class) public void testGenerateX509CertificateV3_CAIssuedX509V3CertRequest_withAuthorityKeyIdentifierNotAllowed() throws NoSuchAlgorithmException, NoSuchProviderException, CertificateExpiredException, CertificateNotYetValidException, CertificateException, InvalidKeyException, SignatureException { final DistinguishedName subject = subject(); final X500Principal subjectPrincipal = subject.toX500Principal(); final KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(RSA.name(), BOUNCY_CASTLE); final KeyPair certKeyPair = keyPairGenerator.generateKeyPair(); final CaCert caCert = caCert(); final JcaX509ExtensionUtils extUtils = jcaX509ExtensionUtils(); final ImmutableList<X509CertExtension> x509CertExtensions = ImmutableList.<X509CertExtension>builder() .add(X509CertExtension.builder().oid(Extension.authorityKeyIdentifier) .value(extUtils.createAuthorityKeyIdentifier(caCert.getCert())).critical(false).build()) .add(X509CertExtension.builder().oid(Extension.keyUsage) .value(new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign | KeyUsage.cRLSign)) .critical(true).build()) .add(X509CertExtension.builder().oid(Extension.basicConstraints).value(new BasicConstraints(0)) .critical(true).build()) .build();/*ww w . j a v a2s. c o m*/ final CAIssuedX509V3CertRequest request = new CAIssuedX509V3CertRequest(caCert.cert, BigInteger.ONE, Instant.now(), Instant.ofEpochMilli(System.currentTimeMillis() + (10 * 1000)), subjectPrincipal, certKeyPair.getPublic(), x509CertExtensions); }
From source file:co.runrightfast.core.security.cert.impl.CertificateServiceImplTest.java
License:Apache License
/** * creates an end entity certificate which might be used to verify one of the subject's signatures or to encrypt data to be sent to the entity represented * by the certificate's subject/*from w w w . ja va 2 s. c o m*/ * * @throws NoSuchAlgorithmException * @throws NoSuchProviderException * @throws CertificateExpiredException * @throws CertificateNotYetValidException * @throws CertificateException * @throws InvalidKeyException * @throws SignatureException */ @Test public void testGenerateX509CertificateV3_endEntityCertificate() throws NoSuchAlgorithmException, NoSuchProviderException, CertificateExpiredException, CertificateNotYetValidException, CertificateException, InvalidKeyException, SignatureException, IOException { final DistinguishedName subject = subject(); final X500Principal subjectPrincipal = subject.toX500Principal(); final KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(RSA.name(), BOUNCY_CASTLE); final KeyPair certKeyPair = keyPairGenerator.generateKeyPair(); final CaCert caCert = caCert(); final JcaX509ExtensionUtils extUtils = jcaX509ExtensionUtils(); final ImmutableList<X509CertExtension> x509CertExtensions = ImmutableList.<X509CertExtension>builder() .add(X509CertExtension.builder().oid(Extension.authorityKeyIdentifier) .value(extUtils.createAuthorityKeyIdentifier(caCert.getCert())).critical(false).build()) .add(X509CertExtension.builder().oid(Extension.keyUsage) .value(new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment)).critical(true) .build()) .build(); final X509V3CertRequest request = new X509V3CertRequest(caCert.cert.getIssuerX500Principal(), BigInteger.ONE, Instant.now(), Instant.ofEpochMilli(System.currentTimeMillis() + (10 * 1000)), subjectPrincipal, certKeyPair.getPublic(), x509CertExtensions); log.info(String.format("request : %s", request)); final X509Certificate cert = certificateService.generateX509CertificateV3(request, caCert.getPrivateKey()); log.info(String.format("result.getSigAlgName() = %s, result.getVersion() = %s ", cert.getSigAlgName(), cert.getVersion())); assertThat(cert.getVersion(), is(3)); cert.checkValidity(); assertThat(Arrays.areEqual(subjectPrincipal.getEncoded(), cert.getSubjectX500Principal().getEncoded()), is(true)); assertThat(Arrays.areEqual(caCert.getCert().getSubjectX500Principal().getEncoded(), cert.getIssuerX500Principal().getEncoded()), is(true)); cert.verify(caCert.getCert().getPublicKey()); assertThat(cert.getBasicConstraints(), is(-1)); checkAuthorityKeyIdentifierExtenstion(cert, caCert); checkSubjectKeyIdentifierExtenstion(cert); }
From source file:co.runrightfast.core.security.cert.impl.CertificateServiceImplTest.java
License:Apache License
private void checkAuthorityKeyIdentifierExtenstion(final X509Certificate cert, final CaCert caCert) throws CertificateEncodingException, IOException { final JcaX509ExtensionUtils extUtils = jcaX509ExtensionUtils(); final byte[] extValue = cert.getExtensionValue(OID.AUTHORITY_KEY_IDENIFIER.oid.getId()); assertThat(extValue, is(notNullValue())); final byte[] expectedExtValue = X509CertExtension.builder().oid(Extension.authorityKeyIdentifier) .value(extUtils.createAuthorityKeyIdentifier(caCert.getCert())).critical(false).build() .toExtension().getExtnValue().getEncoded(DER.name()); assertThat(Arrays.areEqual(extValue, expectedExtValue), is(true)); final X509CertificateHolder certHolder = new JcaX509CertificateHolder(cert); final Extension ext = certHolder.getExtensions().getExtension(OID.AUTHORITY_KEY_IDENIFIER.oid); assertThat(ext, is(notNullValue())); assertThat(Arrays.areEqual(ext.getExtnValue().getEncoded(DER.name()), expectedExtValue), is(true)); }
From source file:co.runrightfast.core.security.cert.impl.CertificateServiceImplTest.java
License:Apache License
@Test(expected = IllegalArgumentException.class) public void testGenerateX509CertificateV3_endEntityCertificate_withBasicConstraintsNotAllowed() throws NoSuchAlgorithmException, NoSuchProviderException, CertificateExpiredException, CertificateNotYetValidException, CertificateException, InvalidKeyException, SignatureException { final DistinguishedName subject = subject(); final X500Principal subjectPrincipal = subject.toX500Principal(); final KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(RSA.name(), BOUNCY_CASTLE); final KeyPair certKeyPair = keyPairGenerator.generateKeyPair(); final CaCert caCert = caCert(); final JcaX509ExtensionUtils extUtils = jcaX509ExtensionUtils(); final ImmutableList<X509CertExtension> x509CertExtensions = ImmutableList.<X509CertExtension>builder() .add(X509CertExtension.builder().oid(Extension.authorityKeyIdentifier) .value(extUtils.createAuthorityKeyIdentifier(caCert.getCert())).critical(false).build()) .add(X509CertExtension.builder().oid(Extension.keyUsage) .value(new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment)).critical(true) .build())/*from w w w . j a v a 2s. co m*/ .add(X509CertExtension.builder().oid(Extension.basicConstraints).value(new BasicConstraints(false)) .critical(true).build()) .build(); final X509V3CertRequest request = new X509V3CertRequest(caCert.cert.getIssuerX500Principal(), BigInteger.ONE, Instant.now(), Instant.ofEpochMilli(System.currentTimeMillis() + (10 * 1000)), subjectPrincipal, certKeyPair.getPublic(), x509CertExtensions); log.info(String.format("request : %s", request)); final X509Certificate cert = certificateService.generateX509CertificateV3(request, caCert.getPrivateKey()); log.info(String.format("result.getSigAlgName() = %s, result.getVersion() = %s ", cert.getSigAlgName(), cert.getVersion())); assertThat(cert.getVersion(), is(3)); cert.checkValidity(); assertThat(Arrays.areEqual(subjectPrincipal.getEncoded(), cert.getSubjectX500Principal().getEncoded()), is(true)); assertThat(Arrays.areEqual(caCert.getCert().getSubjectX500Principal().getEncoded(), cert.getIssuerX500Principal().getEncoded()), is(true)); cert.verify(caCert.getCert().getPublicKey()); }
From source file:co.runrightfast.core.security.cert.impl.CertificateServiceImplTest.java
License:Apache License
@Test(expected = IllegalArgumentException.class) public void testGenerateX509CertificateV3_endEntityCertificate_withSubjectKeyIdentifierNoAllowed() throws NoSuchAlgorithmException, NoSuchProviderException, CertificateExpiredException, CertificateNotYetValidException, CertificateException, InvalidKeyException, SignatureException { final DistinguishedName subject = subject(); final X500Principal subjectPrincipal = subject.toX500Principal(); final KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(RSA.name(), BOUNCY_CASTLE); final KeyPair certKeyPair = keyPairGenerator.generateKeyPair(); final CaCert caCert = caCert(); final JcaX509ExtensionUtils extUtils = jcaX509ExtensionUtils(); final ImmutableList<X509CertExtension> x509CertExtensions = ImmutableList.<X509CertExtension>builder() .add(X509CertExtension.builder().oid(Extension.authorityKeyIdentifier) .value(extUtils.createAuthorityKeyIdentifier(caCert.getCert())).critical(false).build()) .add(X509CertExtension.builder().oid(Extension.subjectKeyIdentifier) .value(extUtils.createSubjectKeyIdentifier(certKeyPair.getPublic())).critical(false) .build())/*from w ww . j a v a 2s. com*/ .add(X509CertExtension.builder().oid(Extension.keyUsage) .value(new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment)).critical(true) .build()) .add(X509CertExtension.builder().oid(Extension.basicConstraints).value(new BasicConstraints(false)) .critical(true).build()) .build(); final X509V3CertRequest request = new X509V3CertRequest(caCert.cert.getIssuerX500Principal(), BigInteger.ONE, Instant.now(), Instant.ofEpochMilli(System.currentTimeMillis() + (10 * 1000)), subjectPrincipal, certKeyPair.getPublic(), x509CertExtensions); }