引入 API
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk15on</artifactId>
<version>1.64</version>
</dependency>
创建 CSR
CSR,即证书请求文件(Certificate Signing Request)。生成 X509 数字证书前,一般先由用户提交证书申请文件,然后由 CA 来签发证书。
// 创建密钥对
KeyPairGenerator gen = KeyPairGenerator.getInstance("RSA");
gen.initialize(2048);
KeyPair pair = gen.generateKeyPair();
PrivateKey privateKey = pair.getPrivate();
PublicKey publicKey = pair.getPublic();
// 创建 CSR 对象
X500Principal subject = new X500Principal("C=CName, ST=STName, L=LName, O=OName, OU=OUName, CN=CNName, EMAILADDRESS=Name@gmail.com");
ContentSigner signGen = new JcaContentSignerBuilder("SHA256withRSA").build(privateKey);
PKCS10CertificationRequestBuilder builder = new JcaPKCS10CertificationRequestBuilder(subject, publicKey);
// 添加 SAN 扩展
ExtensionsGenerator extensionsGenerator = new ExtensionsGenerator();
GeneralNames generalNames = new GeneralNames(new GeneralName[]{
new GeneralName(GeneralName.rfc822Name, "ip=6.6.6.6"), new GeneralName(GeneralName.rfc822Name, "email=666@gmail.com")});
extensionsGenerator.addExtension(Extension.subjectAlternativeName, false, generalNames);
builder.