使用bouncycastle库来制作证书(包括一个自签名证书和为他人签发证书)。
<dependency> <groupId>org.bouncycastle</groupId> <artifactId>bcpkix-jdk15on</artifactId> <version>1.54</version> </dependency>
import java.io.ByteArrayInputStream;
import java.io.FileOutputStream;
import java.io.OutputStream;
import java.math.BigInteger;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.Enumeration;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
public class CertMakeDemo {
public static void main(String[] args) throws Exception {
X500Name subject = new X500Name("CN=root, O=root, OU=root");
KeyPairGenerator gen = KeyPairGenerator.getInstance("RSA");
gen.initialize(1024);
KeyPair pair = gen.generateKeyPair();
X509Certificate certificate = signerSelf(subject, pair);
System.out.println("证书:" + certificate);
KeyStore pkcs12 = KeyStore.getInstance("PKCS12");
pkcs12.load(null, null);
pkcs12.setKeyEntry("root", pair.getPrivate(), "123456".toCharArray(), new Certificate[] { certificate });
for (Enumeration<String> e = pkcs12.aliases(); e.hasMoreElements();) {
String alias = e.nextElement();
System.out.println(pkcs12.getCertificateChain(alias));
System.out.println(pkcs12.getKey(alias, "123456".toCharArray()));
}
OutputStream out = new FileOutputStream("f:/temp/root.pfx");
pkcs12.store(out, "123456".toCharArray());
out.close();
//root为张三签发证书
X500Name zsSubject = new X500Name("CN=张三, O=张三, OU=张三");
gen = KeyPairGenerator.getInstance("RSA");
gen.initialize(1024);
KeyPair zsKeypair = gen.generateKeyPair();
X509Certificate zsCertificate = signer(zsSubject, zsKeypair.getPublic(), certificate, pair.getPrivate());
System.out.println("张三证书:" + zsCertificate);
out = new FileOutputStream("f:/temp/zhangsan.cer");
out.write(zsCertificate.getEncoded());
out.close();
}
public static X509Certificate signer(X500Name subject, PublicKey subjectPublicKey,//
X509Certificate issuerCert, PrivateKey issuerPrivateKey) throws Exception {
X500Name issuer = X500Name.getInstance(issuerCert.getSubjectX500Principal().getEncoded());
String signatureAlgorithm = issuerCert.getSigAlgName();
return signer(subject, subjectPublicKey, issuer, issuerPrivateKey, signatureAlgorithm);
}
public static X509Certificate signerSelf(X500Name subject, KeyPair pair) throws Exception {
String signatureAlgorithm = "SHA1With" + pair.getPrivate().getAlgorithm();
return signer(subject, pair.getPublic(), subject, pair.getPrivate(), signatureAlgorithm);
}
public static X509Certificate signer(X500Name subject, PublicKey subjectPublicKey,//
X500Name issuer, PrivateKey issuerPrivateKey, String signatureAlgorithm) throws Exception {
BigInteger sn = new BigInteger(new SimpleDateFormat("yyyyMMdd").format(new Date()));
Date notBefore = new Date();
Date notAfter = new Date(notBefore.getTime() + 365L * 24 * 60 * 60 * 1000);
SubjectPublicKeyInfo publicKeyInfo = SubjectPublicKeyInfo.getInstance(subjectPublicKey.getEncoded());
ContentSigner signer = new JcaContentSignerBuilder(signatureAlgorithm).build(issuerPrivateKey);
X509v3CertificateBuilder builder = new X509v3CertificateBuilder(//
issuer, sn, notBefore, notAfter, subject, publicKeyInfo);
byte[] certBytes = builder.build(signer).getEncoded();
X509Certificate certificate = (X509Certificate) CertificateFactory.getInstance("X509")//
.generateCertificate(new ByteArrayInputStream(certBytes));
return certificate;
}
}