List of usage examples for org.bouncycastle.cert.jcajce JcaX509CertificateConverter JcaX509CertificateConverter
public JcaX509CertificateConverter()
From source file:org.apache.pdfbox.examples.pdmodel.TestCreateSignature.java
License:Apache License
private void checkSignature(File file) throws IOException, CMSException, OperatorCreationException, GeneralSecurityException { PDDocument document = PDDocument.load(file); List<PDSignature> signatureDictionaries = document.getSignatureDictionaries(); if (signatureDictionaries.isEmpty()) { Assert.fail("no signature found"); }//from w ww .j a v a 2 s . c o m for (PDSignature sig : document.getSignatureDictionaries()) { COSString contents = (COSString) sig.getCOSObject().getDictionaryObject(COSName.CONTENTS); FileInputStream fis = new FileInputStream(file); byte[] buf = sig.getSignedContent(fis); fis.close(); // inspiration: // http://stackoverflow.com/a/26702631/535646 // http://stackoverflow.com/a/9261365/535646 CMSSignedData signedData = new CMSSignedData(new CMSProcessableByteArray(buf), contents.getBytes()); Store certificatesStore = signedData.getCertificates(); Collection<SignerInformation> signers = signedData.getSignerInfos().getSigners(); SignerInformation signerInformation = signers.iterator().next(); Collection matches = certificatesStore.getMatches(signerInformation.getSID()); X509CertificateHolder certificateHolder = (X509CertificateHolder) matches.iterator().next(); X509Certificate certFromSignedData = new JcaX509CertificateConverter() .getCertificate(certificateHolder); Assert.assertEquals(certificate, certFromSignedData); // CMSVerifierCertificateNotValidException means that the keystore wasn't valid at signing time if (!signerInformation.verify(new JcaSimpleSignerInfoVerifierBuilder().build(certFromSignedData))) { Assert.fail("Signature verification failed"); } break; } document.close(); }
From source file:org.apache.pdfbox.examples.signature.ShowSignature.java
License:Apache License
/** * Verify a PKCS7 signature.//from w w w . j av a 2s .c o m * * @param byteArray the byte sequence that has been signed * @param contents the /Contents field as a COSString * @param sig the PDF signature (the /V dictionary) * @throws CertificateException * @throws CMSException * @throws StoreException * @throws OperatorCreationException */ private void verifyPKCS7(byte[] byteArray, COSString contents, PDSignature sig) throws CMSException, CertificateException, StoreException, OperatorCreationException { // inspiration: // http://stackoverflow.com/a/26702631/535646 // http://stackoverflow.com/a/9261365/535646 CMSProcessable signedContent = new CMSProcessableByteArray(byteArray); CMSSignedData signedData = new CMSSignedData(signedContent, contents.getBytes()); Store certificatesStore = signedData.getCertificates(); Collection<SignerInformation> signers = signedData.getSignerInfos().getSigners(); SignerInformation signerInformation = signers.iterator().next(); Collection matches = certificatesStore.getMatches(signerInformation.getSID()); X509CertificateHolder certificateHolder = (X509CertificateHolder) matches.iterator().next(); X509Certificate certFromSignedData = new JcaX509CertificateConverter().getCertificate(certificateHolder); System.out.println("certFromSignedData: " + certFromSignedData); certFromSignedData.checkValidity(sig.getSignDate().getTime()); if (signerInformation.verify(new JcaSimpleSignerInfoVerifierBuilder().build(certFromSignedData))) { System.out.println("Signature verified"); } else { System.out.println("Signature verification failed"); } }
From source file:org.apache.poi.poifs.crypt.dsig.services.TSPTimeStampService.java
License:Apache License
@SuppressWarnings("unchecked") public byte[] timeStamp(byte[] data, RevocationData revocationData) throws Exception { // digest the message MessageDigest messageDigest = CryptoFunctions.getMessageDigest(signatureConfig.getTspDigestAlgo()); byte[] digest = messageDigest.digest(data); // generate the TSP request BigInteger nonce = new BigInteger(128, new SecureRandom()); TimeStampRequestGenerator requestGenerator = new TimeStampRequestGenerator(); requestGenerator.setCertReq(true);/* w ww.ja v a2 s .c om*/ String requestPolicy = signatureConfig.getTspRequestPolicy(); if (requestPolicy != null) { requestGenerator.setReqPolicy(new ASN1ObjectIdentifier(requestPolicy)); } ASN1ObjectIdentifier digestAlgoOid = mapDigestAlgoToOID(signatureConfig.getTspDigestAlgo()); TimeStampRequest request = requestGenerator.generate(digestAlgoOid, digest, nonce); byte[] encodedRequest = request.getEncoded(); // create the HTTP POST request Proxy proxy = Proxy.NO_PROXY; if (signatureConfig.getProxyUrl() != null) { URL proxyUrl = new URL(signatureConfig.getProxyUrl()); String host = proxyUrl.getHost(); int port = proxyUrl.getPort(); proxy = new Proxy(Proxy.Type.HTTP, new InetSocketAddress(host, (port == -1 ? 80 : port))); } HttpURLConnection huc = (HttpURLConnection) new URL(signatureConfig.getTspUrl()).openConnection(proxy); if (signatureConfig.getTspUser() != null) { String userPassword = signatureConfig.getTspUser() + ":" + signatureConfig.getTspPass(); String encoding = DatatypeConverter .printBase64Binary(userPassword.getBytes(Charset.forName("iso-8859-1"))); huc.setRequestProperty("Authorization", "Basic " + encoding); } huc.setRequestMethod("POST"); huc.setConnectTimeout(20000); huc.setReadTimeout(20000); huc.setDoOutput(true); // also sets method to POST. huc.setRequestProperty("User-Agent", signatureConfig.getUserAgent()); huc.setRequestProperty("Content-Type", signatureConfig.isTspOldProtocol() ? "application/timestamp-request" : "application/timestamp-query"); // "; charset=ISO-8859-1"); OutputStream hucOut = huc.getOutputStream(); hucOut.write(encodedRequest); // invoke TSP service huc.connect(); int statusCode = huc.getResponseCode(); if (statusCode != 200) { LOG.log(POILogger.ERROR, "Error contacting TSP server ", signatureConfig.getTspUrl()); throw new IOException("Error contacting TSP server " + signatureConfig.getTspUrl()); } // HTTP input validation String contentType = huc.getHeaderField("Content-Type"); if (null == contentType) { throw new RuntimeException("missing Content-Type header"); } ByteArrayOutputStream bos = new ByteArrayOutputStream(); IOUtils.copy(huc.getInputStream(), bos); LOG.log(POILogger.DEBUG, "response content: ", bos.toString()); if (!contentType.startsWith(signatureConfig.isTspOldProtocol() ? "application/timestamp-response" : "application/timestamp-reply")) { throw new RuntimeException("invalid Content-Type: " + contentType); } if (bos.size() == 0) { throw new RuntimeException("Content-Length is zero"); } // TSP response parsing and validation TimeStampResponse timeStampResponse = new TimeStampResponse(bos.toByteArray()); timeStampResponse.validate(request); if (0 != timeStampResponse.getStatus()) { LOG.log(POILogger.DEBUG, "status: " + timeStampResponse.getStatus()); LOG.log(POILogger.DEBUG, "status string: " + timeStampResponse.getStatusString()); PKIFailureInfo failInfo = timeStampResponse.getFailInfo(); if (null != failInfo) { LOG.log(POILogger.DEBUG, "fail info int value: " + failInfo.intValue()); if (/*PKIFailureInfo.unacceptedPolicy*/(1 << 8) == failInfo.intValue()) { LOG.log(POILogger.DEBUG, "unaccepted policy"); } } throw new RuntimeException("timestamp response status != 0: " + timeStampResponse.getStatus()); } TimeStampToken timeStampToken = timeStampResponse.getTimeStampToken(); SignerId signerId = timeStampToken.getSID(); BigInteger signerCertSerialNumber = signerId.getSerialNumber(); X500Name signerCertIssuer = signerId.getIssuer(); LOG.log(POILogger.DEBUG, "signer cert serial number: " + signerCertSerialNumber); LOG.log(POILogger.DEBUG, "signer cert issuer: " + signerCertIssuer); // TSP signer certificates retrieval Collection<X509CertificateHolder> certificates = timeStampToken.getCertificates().getMatches(null); X509CertificateHolder signerCert = null; Map<X500Name, X509CertificateHolder> certificateMap = new HashMap<X500Name, X509CertificateHolder>(); for (X509CertificateHolder certificate : certificates) { if (signerCertIssuer.equals(certificate.getIssuer()) && signerCertSerialNumber.equals(certificate.getSerialNumber())) { signerCert = certificate; } certificateMap.put(certificate.getSubject(), certificate); } // TSP signer cert path building if (signerCert == null) { throw new RuntimeException("TSP response token has no signer certificate"); } List<X509Certificate> tspCertificateChain = new ArrayList<X509Certificate>(); JcaX509CertificateConverter x509converter = new JcaX509CertificateConverter(); x509converter.setProvider("BC"); X509CertificateHolder certificate = signerCert; do { LOG.log(POILogger.DEBUG, "adding to certificate chain: " + certificate.getSubject()); tspCertificateChain.add(x509converter.getCertificate(certificate)); if (certificate.getSubject().equals(certificate.getIssuer())) { break; } certificate = certificateMap.get(certificate.getIssuer()); } while (null != certificate); // verify TSP signer signature X509CertificateHolder holder = new X509CertificateHolder(tspCertificateChain.get(0).getEncoded()); DefaultCMSSignatureAlgorithmNameGenerator nameGen = new DefaultCMSSignatureAlgorithmNameGenerator(); DefaultSignatureAlgorithmIdentifierFinder sigAlgoFinder = new DefaultSignatureAlgorithmIdentifierFinder(); DefaultDigestAlgorithmIdentifierFinder hashAlgoFinder = new DefaultDigestAlgorithmIdentifierFinder(); BcDigestCalculatorProvider calculator = new BcDigestCalculatorProvider(); BcRSASignerInfoVerifierBuilder verifierBuilder = new BcRSASignerInfoVerifierBuilder(nameGen, sigAlgoFinder, hashAlgoFinder, calculator); SignerInformationVerifier verifier = verifierBuilder.build(holder); timeStampToken.validate(verifier); // verify TSP signer certificate if (signatureConfig.getTspValidator() != null) { signatureConfig.getTspValidator().validate(tspCertificateChain, revocationData); } LOG.log(POILogger.DEBUG, "time-stamp token time: " + timeStampToken.getTimeStampInfo().getGenTime()); byte[] timestamp = timeStampToken.getEncoded(); return timestamp; }
From source file:org.apache.poi.poifs.crypt.PkiTestUtils.java
License:Apache License
static X509Certificate generateCertificate(PublicKey subjectPublicKey, String subjectDn, Date notBefore, Date notAfter, X509Certificate issuerCertificate, PrivateKey issuerPrivateKey, boolean caFlag, int pathLength, String crlUri, String ocspUri, KeyUsage keyUsage) throws IOException, OperatorCreationException, CertificateException { String signatureAlgorithm = "SHA1withRSA"; X500Name issuerName;/*from w ww . j a va2 s. c o m*/ if (issuerCertificate != null) { issuerName = new X509CertificateHolder(issuerCertificate.getEncoded()).getIssuer(); } else { issuerName = new X500Name(subjectDn); } RSAPublicKey rsaPubKey = (RSAPublicKey) subjectPublicKey; RSAKeyParameters rsaSpec = new RSAKeyParameters(false, rsaPubKey.getModulus(), rsaPubKey.getPublicExponent()); SubjectPublicKeyInfo subjectPublicKeyInfo = SubjectPublicKeyInfoFactory.createSubjectPublicKeyInfo(rsaSpec); DigestCalculator digestCalc = new JcaDigestCalculatorProviderBuilder().setProvider("BC").build() .get(CertificateID.HASH_SHA1); X509v3CertificateBuilder certificateGenerator = new X509v3CertificateBuilder(issuerName, new BigInteger(128, new SecureRandom()), notBefore, notAfter, new X500Name(subjectDn), subjectPublicKeyInfo); X509ExtensionUtils exUtils = new X509ExtensionUtils(digestCalc); SubjectKeyIdentifier subKeyId = exUtils.createSubjectKeyIdentifier(subjectPublicKeyInfo); AuthorityKeyIdentifier autKeyId = (issuerCertificate != null) ? exUtils.createAuthorityKeyIdentifier(new X509CertificateHolder(issuerCertificate.getEncoded())) : exUtils.createAuthorityKeyIdentifier(subjectPublicKeyInfo); certificateGenerator.addExtension(Extension.subjectKeyIdentifier, false, subKeyId); certificateGenerator.addExtension(Extension.authorityKeyIdentifier, false, autKeyId); if (caFlag) { BasicConstraints bc; if (-1 == pathLength) { bc = new BasicConstraints(true); } else { bc = new BasicConstraints(pathLength); } certificateGenerator.addExtension(Extension.basicConstraints, false, bc); } if (null != crlUri) { int uri = GeneralName.uniformResourceIdentifier; DERIA5String crlUriDer = new DERIA5String(crlUri); GeneralName gn = new GeneralName(uri, crlUriDer); DERSequence gnDer = new DERSequence(gn); GeneralNames gns = GeneralNames.getInstance(gnDer); DistributionPointName dpn = new DistributionPointName(0, gns); DistributionPoint distp = new DistributionPoint(dpn, null, null); DERSequence distpDer = new DERSequence(distp); certificateGenerator.addExtension(Extension.cRLDistributionPoints, false, distpDer); } if (null != ocspUri) { int uri = GeneralName.uniformResourceIdentifier; GeneralName ocspName = new GeneralName(uri, ocspUri); AuthorityInformationAccess authorityInformationAccess = new AuthorityInformationAccess( X509ObjectIdentifiers.ocspAccessMethod, ocspName); certificateGenerator.addExtension(Extension.authorityInfoAccess, false, authorityInformationAccess); } if (null != keyUsage) { certificateGenerator.addExtension(Extension.keyUsage, true, keyUsage); } JcaContentSignerBuilder signerBuilder = new JcaContentSignerBuilder(signatureAlgorithm); signerBuilder.setProvider("BC"); X509CertificateHolder certHolder = certificateGenerator.build(signerBuilder.build(issuerPrivateKey)); /* * Next certificate factory trick is needed to make sure that the * certificate delivered to the caller is provided by the default * security provider instead of BouncyCastle. If we don't do this trick * we might run into trouble when trying to use the CertPath validator. */ // CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); // certificate = (X509Certificate) certificateFactory // .generateCertificate(new ByteArrayInputStream(certificate // .getEncoded())); return new JcaX509CertificateConverter().getCertificate(certHolder); }
From source file:org.apache.ranger.authorization.kafka.authorizer.KafkaRangerAuthorizerTest.java
License:Apache License
private static String createAndStoreKey(String subjectName, String issuerName, BigInteger serial, String keystorePassword, String keystoreAlias, String keyPassword, KeyStore trustStore) throws Exception { // Create KeyPair KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA"); keyPairGenerator.initialize(2048, new SecureRandom()); KeyPair keyPair = keyPairGenerator.generateKeyPair(); Date currentDate = new Date(); Date expiryDate = new Date(currentDate.getTime() + 365L * 24L * 60L * 60L * 1000L); // Create X509Certificate X509v3CertificateBuilder certBuilder = new X509v3CertificateBuilder( new X500Name(RFC4519Style.INSTANCE, issuerName), serial, currentDate, expiryDate, new X500Name(RFC4519Style.INSTANCE, subjectName), SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded())); ContentSigner contentSigner = new JcaContentSignerBuilder("SHA256WithRSAEncryption") .build(keyPair.getPrivate()); X509Certificate certificate = new JcaX509CertificateConverter() .getCertificate(certBuilder.build(contentSigner)); // Store Private Key + Certificate in Keystore KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType()); keystore.load(null, keystorePassword.toCharArray()); keystore.setKeyEntry(keystoreAlias, keyPair.getPrivate(), keyPassword.toCharArray(), new Certificate[] { certificate }); File keystoreFile = File.createTempFile("kafkakeystore", ".jks"); keystore.store(new FileOutputStream(keystoreFile), keystorePassword.toCharArray()); // Now store the Certificate in the truststore trustStore.setCertificateEntry(keystoreAlias, certificate); return keystoreFile.getPath(); }
From source file:org.apache.ranger.authorization.kafka.authorizer.KafkaTestUtils.java
License:Apache License
public static String createAndStoreKey(String subjectName, String issuerName, BigInteger serial, String keystorePassword, String keystoreAlias, String keyPassword, KeyStore trustStore) throws Exception { // Create KeyPair KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA"); keyPairGenerator.initialize(2048, new SecureRandom()); KeyPair keyPair = keyPairGenerator.generateKeyPair(); Date currentDate = new Date(); Date expiryDate = new Date(currentDate.getTime() + 365L * 24L * 60L * 60L * 1000L); // Create X509Certificate X509v3CertificateBuilder certBuilder = new X509v3CertificateBuilder( new X500Name(RFC4519Style.INSTANCE, issuerName), serial, currentDate, expiryDate, new X500Name(RFC4519Style.INSTANCE, subjectName), SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded())); ContentSigner contentSigner = new JcaContentSignerBuilder("SHA256WithRSAEncryption") .build(keyPair.getPrivate()); X509Certificate certificate = new JcaX509CertificateConverter() .getCertificate(certBuilder.build(contentSigner)); // Store Private Key + Certificate in Keystore KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType()); keystore.load(null, keystorePassword.toCharArray()); keystore.setKeyEntry(keystoreAlias, keyPair.getPrivate(), keyPassword.toCharArray(), new Certificate[] { certificate }); File keystoreFile = File.createTempFile("kafkakeystore", ".jks"); try (OutputStream output = new FileOutputStream(keystoreFile)) { keystore.store(output, keystorePassword.toCharArray()); }//w w w .jav a2s . c o m // Now store the Certificate in the truststore trustStore.setCertificateEntry(keystoreAlias, certificate); return keystoreFile.getPath(); }
From source file:org.apache.syncope.fit.core.SAML2ITCase.java
License:Apache License
private static void createKeystores() throws Exception { // Create KeyPair KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA"); keyPairGenerator.initialize(1024, new SecureRandom()); KeyPair keyPair = keyPairGenerator.generateKeyPair(); Date currentDate = new Date(); Date expiryDate = new Date(currentDate.getTime() + 365L * 24L * 60L * 60L * 1000L); // Create X509Certificate String issuerName = "CN=Issuer"; String subjectName = "CN=Subject"; BigInteger serial = new BigInteger("123456"); X509v3CertificateBuilder certBuilder = new X509v3CertificateBuilder( new X500Name(RFC4519Style.INSTANCE, issuerName), serial, currentDate, expiryDate, new X500Name(RFC4519Style.INSTANCE, subjectName), SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded())); ContentSigner contentSigner = new JcaContentSignerBuilder("SHA256WithRSAEncryption") .build(keyPair.getPrivate()); X509Certificate certificate = new JcaX509CertificateConverter() .getCertificate(certBuilder.build(contentSigner)); // Store Private Key + Certificate in Keystore KeyStore keystore = KeyStore.getInstance("JKS"); keystore.load(null, "security".toCharArray()); keystore.setKeyEntry("subject", keyPair.getPrivate(), "security".toCharArray(), new Certificate[] { certificate }); File keystoreFile = File.createTempFile("samlkeystore", ".jks"); try (OutputStream output = Files.newOutputStream(keystoreFile.toPath())) { keystore.store(output, "security".toCharArray()); }/*from ww w . jav a 2s. co m*/ keystorePath = keystoreFile.toPath(); // Now store the Certificate in the truststore KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType()); trustStore.load(null, "security".toCharArray()); trustStore.setCertificateEntry("subject", certificate); File truststoreFile = File.createTempFile("samltruststore", ".jks"); try (OutputStream output = Files.newOutputStream(truststoreFile.toPath())) { trustStore.store(output, "security".toCharArray()); } truststorePath = truststoreFile.toPath(); }
From source file:org.apache.tomee.embedded.SslTomEETest.java
License:Apache License
@Test public void test() throws Exception { final File keystore = new File("target/keystore"); { // generate keystore/trustore if (keystore.exists()) { Files.delete(keystore); }/* ww w . j a v a 2 s . c o m*/ keystore.getParentFile().mkdirs(); try (final FileOutputStream fos = new FileOutputStream(keystore)) { final KeyPairGenerator keyGenerator = KeyPairGenerator.getInstance("RSA"); keyGenerator.initialize(1024); final KeyPair pair = keyGenerator.generateKeyPair(); final boolean addBc = Security.getProvider("BC") == null; if (addBc) { Security.addProvider(new BouncyCastleProvider()); } try { final X509v1CertificateBuilder x509v1CertificateBuilder = new JcaX509v1CertificateBuilder( new X500Name("cn=serveralias"), BigInteger.valueOf(1), new Date(System.currentTimeMillis() - TimeUnit.DAYS.toMillis(1)), new Date(System.currentTimeMillis() + TimeUnit.DAYS.toMillis(1)), new X500Name("cn=serveralias"), pair.getPublic()); final X509CertificateHolder certHldr = x509v1CertificateBuilder.build( new JcaContentSignerBuilder("SHA1WithRSA").setProvider("BC").build(pair.getPrivate())); final X509Certificate cert = new JcaX509CertificateConverter().setProvider("BC") .getCertificate(certHldr); final KeyStore ks = KeyStore.getInstance("JKS"); ks.load(null, "changeit".toCharArray()); ks.setKeyEntry("serveralias", pair.getPrivate(), "changeit".toCharArray(), new Certificate[] { cert }); ks.store(fos, "changeit".toCharArray()); } finally { if (addBc) { Security.removeProvider("BC"); } } } catch (final Exception e) { Assert.fail(e.getMessage()); } } final Configuration configuration = new Configuration(); configuration.setSsl(true); configuration.setKeystoreFile(keystore.getAbsolutePath()); configuration.setKeystorePass("changeit"); configuration.setKeyAlias("serveralias"); final Container container = new Container(); container.setup(configuration); container.start(); Connector[] connectors = container.getTomcat().getService().findConnectors(); for (Connector conn : connectors) { if (conn.getPort() == 8443) { Object propertyObject = conn.getProperty("keystoreFile"); assertNotNull(propertyObject); assertEquals(keystore.getAbsolutePath(), propertyObject.toString()); } } try { assertEquals(8443, ManagementFactory.getPlatformMBeanServer() .getAttribute(new ObjectName("Tomcat:type=ProtocolHandler,port=8443"), "port")); } finally { container.stop(); } // ensure it is not always started configuration.setSsl(false); container.setup(configuration); container.start(); try { assertFalse(ManagementFactory.getPlatformMBeanServer() .isRegistered(new ObjectName("Tomcat:type=ProtocolHandler,port=8443"))); } finally { container.close(); } }
From source file:org.apache.zookeeper.common.X509TestHelpers.java
License:Apache License
/** * Convenience method to convert a bouncycastle X509CertificateHolder to a java X509Certificate. * @param certHolder a bouncycastle X509CertificateHolder. * @return a java X509Certificate// www. ja v a 2s.c o m * @throws CertificateException if the conversion fails. */ public static X509Certificate toX509Cert(X509CertificateHolder certHolder) throws CertificateException { return new JcaX509CertificateConverter().setProvider(BouncyCastleProvider.PROVIDER_NAME) .getCertificate(certHolder); }
From source file:org.apache.zookeeper.common.ZKTrustManagerTest.java
License:Apache License
private X509Certificate[] createSelfSignedCertifcateChain(String ipAddress, String hostname) throws Exception { X500NameBuilder nameBuilder = new X500NameBuilder(BCStyle.INSTANCE); nameBuilder.addRDN(BCStyle.CN, "NOT_LOCALHOST"); Date notBefore = new Date(); Calendar cal = Calendar.getInstance(); cal.setTime(notBefore);//from www. j a v a 2s . c om cal.add(Calendar.YEAR, 1); Date notAfter = cal.getTime(); BigInteger serialNumber = new BigInteger(128, new Random()); X509v3CertificateBuilder certificateBuilder = new JcaX509v3CertificateBuilder(nameBuilder.build(), serialNumber, notBefore, notAfter, nameBuilder.build(), keyPair.getPublic()) .addExtension(Extension.basicConstraints, true, new BasicConstraints(0)) .addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign | KeyUsage.cRLSign)); List<GeneralName> generalNames = new ArrayList<>(); if (ipAddress != null) { generalNames.add(new GeneralName(GeneralName.iPAddress, ipAddress)); } if (hostname != null) { generalNames.add(new GeneralName(GeneralName.dNSName, hostname)); } if (!generalNames.isEmpty()) { certificateBuilder.addExtension(Extension.subjectAlternativeName, true, new GeneralNames(generalNames.toArray(new GeneralName[] {}))); } ContentSigner contentSigner = new JcaContentSignerBuilder("SHA256WithRSAEncryption") .build(keyPair.getPrivate()); return new X509Certificate[] { new JcaX509CertificateConverter().getCertificate(certificateBuilder.build(contentSigner)) }; }