如何仅使用 JDK 支持的类生成自签名证书? [英] How to generate a self-signed certificate using only JDK supported classes?

问题描述

我有一个 Java 程序，它当前使用私有 JDK 类(CertAndKeyGen 和 X500Name)来生成自签名 X.509 证书.这种方法有太多问题:

I have a program in Java which currently uses private JDK classes (CertAndKeyGen and X500Name) to generate self-signed X.509 certificates. There are too many problems with this approach:

• 内部包不断变化:
  • "sun.security.x509.CertAndKeyGen",//Oracle/Sun/OpenJDK 6,7
  • "sun.security.tools.keytool.CertAndKeyGen",//Oracle/Sun/OpenJDK 8
  • "com.ibm.security.x509.CertAndKeyGen",//IBM SDK 7
  • "com.ibm.security.tools.CertAndKeyGen"//IBM SDK 8
  • 显然 JDK 7 更新(u111?)最近更改了上面列出的包

  我想将此代码转换为使用标准的、受支持的 JDK 类.

  I would like to convert this code to use standard, supported JDK classes.

  我曾考虑使用名称不正确的 CertificateFactory.generateCertificate() 方法，但运气不佳:它们无法生成任何证书，只能加载现有证书.

  I have looked at using the ill-named CertificateFactory.generateCertificate() methods, but no luck: they cannot generate any certificate, they are just able to load an existing one.

   

  有人知道可以生成自签名证书的标准 JDK API 吗?

  Does anybody know a standard JDK API that can generate a self-signed certificate?

   

  这是我所能做到的:

  KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA");
  generator.initialize(2048, SecureRandom.getInstance("SHA1WithRSA"));
  KeyPair keyPair = generator.generateKeyPair();
  PrivateKey privatekey = keyPair.getPrivate();
  
  X500Principal principal = new X500Principal(dn);
  
  CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
  // How to generate the self-signed certificate from there?
  // certFactory.generate(inputStream) // only able to load an existing certificate
  

   

  注意:

  • 如果可能，我们不想引入对 bouncy-castle 的依赖
    • 我已经知道 X509V3CertificateGenerator

    推荐答案

    好吧，那我猜它不存在.

    Ok, then I guess it does not exist.

    我提交给 JDK 的 RFE 已被接受，现在有一个官方错误:http://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8165481

    The RFE I submitted to the JDK has been accepted and there is now an official bug for it: http://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8165481

    这篇关于如何仅使用 JDK 支持的类生成自签名证书?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！