如何使用给定的私钥通过ca证书签署最终实体证书 [英] how to sign an end entity certeficate by a ca cert using a given private key
问题描述
我已经用java(使用充气城堡库)编码了我的CA证书。现在我想用给定的私钥签署最终实体证书。
这是我的代码:
I have coded in java (using bouncy castle library)my CA certificate. and now I want to sign an end entity certificate with a given private key. here is my code :
X500Principal dnNameIssuer = new X500Principal("CN=\"" + hashedValue + " CA\", OU=PKI, O=\"" + hashedValue + ", Inc\", L=Darmstadt, ST=Hessen, C=DE");
X500Principal dnNameSubject = dnName;
serialNumber = new BigInteger("123127956789") ;
keyus = new KeyUsage(KeyUsage.digitalSignature);
ContentSigner signer = new JcaContentSignerBuilder("SHA512withECDSA").build(myprivateKey);
Date D1 = new Date(System.currentTimeMillis() - 24 * 60 * 60 * 1000);
Date D2 = new Date(System.currentTimeMillis() - 24 * 60 * 60 * 1000);
AuthorityKeyIdentifier AKI = new AuthorityKeyIdentifier(keyBytesPublic);
X509v3CertificateBuilder certBldr = new JcaX509v3CertificateBuilder(certroot,serialNumber, D1, D2, dnName, mypublicKey);
certBldr.addExtension(X509Extension.authorityKeyIdentifier, true, AKI);
certBldr.addExtension(X509Extension.subjectAlternativeName, false,new GeneralNames(new GeneralName(GeneralName.rfc822Name,"PNeODZ3wV5m2UXmJiovxdwPKZdCkB87ESsk7H8vTZKU=")));
certBldr.addExtension(X509Extensions.KeyUsage, true, keyus);
certBldr.addExtension(new ASN1ObjectIdentifier("2.5.29.19"), false, new BasicConstraints(false));
// Build/sign the certificate.
X509CertificateHolder certHolder = certBldr.build(signer);
X509Certificate Endcert = new JcaX509CertificateConverter().setProvider("BC").getCertificate(certHolder);
`
我遇到了错误在此处输入图片描述
能帮帮我吗。或者,当有人通过CA证书用另一种方式签署最终实体证书时,这对我来说很高兴。
Can you help me. Or when someone have another way to sign an end entity certificate by a CA certificate that will be a pleasure for me.
谢谢
推荐答案
该错误是由于无法解决的依赖性引起的。您需要与此类似的东西
The error is due to an unresolved dependency. You need something similar to this
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcpkix-jdk15on</artifactId>
<version>1.49</version>
</dependency>
您的代码中有一些错误
X500Principal dnNameIssuer = new X500Principal("CN=\"" + hashedValue + " CA\", OU=PKI, O=\"" + hashedValue + ", Inc\", L=Darmstadt, ST=Hessen, C=DE");
避免创建字符串。使用从X509中提取的ca证书颁发者名称
Avoid creating strings. Use the ca certificate issuer name extracted from X509
X509Certificate cacert =...
X500Name issuer = X500Name.getInstance(cacert.getSubjectX500Principal().getEncoded());
此日期为过去
Date D1 = new Date(System.currentTimeMillis() - 24 * 60 * 60 * 1000);
Date D2 = new Date(System.currentTimeMillis() - 24 * 60 * 60 * 1000);
创建与此类似的内容(+1天)
Create something similar to this (+ 1 day)
Date D1 = new Date();
Date D2 = new Date(System.currentTimeMillis() + VALIDITY_PERIOD);
在keyUsage中添加keyEncipherment也很常见
It's also common to add keyEncipherment to keyUsage
keyus = new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment);
并使用cacert创建AuthorityKeyIdentifier
And also create authorityKeyIdentifier with cacert
X509ExtensionUtils extUtils = new X509ExtensionUtils(
new SHA1DigestCalculator());
certBldr.addExtension(Extension.authorityKeyIdentifier, false,
extUtils.createAuthorityKeyIdentifier(caCert))
您在项目ejbca中有一个完整的CA示例。 此是您需要的类。
You have a full example of CA in project ejbca. This is the class you need.
这也是创建最终实体证书的完整示例(摘录自此处)
Also here is a full example to create e final entity cert (extracted from here)
public static X509CertificateHolder buildEndEntityCert(X500Name subject,
AsymmetricKeyParameter entityKey, AsymmetricKeyParameter caKey,
X509CertificateHolder caCert, String ufn) throws Exception
{
SubjectPublicKeyInfo entityKeyInfo = SubjectPublicKeyInfoFactory.
createSubjectPublicKeyInfo(entityKey);
if(subject==null)
subject = new X500Name("CN = BETaaS Gateway Certificate");
X509v3CertificateBuilder certBldr = new X509v3CertificateBuilder(
caCert.getSubject(),
BigInteger.valueOf(1),
new Date(System.currentTimeMillis()),
new Date(System.currentTimeMillis() + VALIDITY_PERIOD),
subject,
entityKeyInfo);
X509ExtensionUtils extUtils = new X509ExtensionUtils(
new SHA1DigestCalculator());
certBldr.addExtension(Extension.authorityKeyIdentifier, false,
extUtils.createAuthorityKeyIdentifier(caCert))
.addExtension(Extension.subjectKeyIdentifier, false,
extUtils.createSubjectKeyIdentifier(entityKeyInfo))
.addExtension(Extension.basicConstraints, true,
new BasicConstraints(false))
.addExtension(Extension.keyUsage, true, new KeyUsage(
KeyUsage.digitalSignature | KeyUsage.keyEncipherment))
.addExtension(Extension.subjectAlternativeName, false, new GeneralNames(
new GeneralName(GeneralName.rfc822Name, ufn)));
AlgorithmIdentifier sigAlg = algFinder.find(ALG_NAME);
AlgorithmIdentifier digAlg = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlg);
ContentSigner signer = new BcECDSAContentSignerBuilder(sigAlg, digAlg).build(caKey);
return certBldr.build(signer);
}
这篇关于如何使用给定的私钥通过ca证书签署最终实体证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!