Package com.ibm.security.certclient
This package provides the classes for certificate request transactions. A certificate request can be requested and sent to a Certificate Authority (CA) via the Certificate Management Protocol (CMP), and the CA signed certificate is returned. A certificate request can be requested and the DER encoded PKCS10 form of the PKCS10 request is returned. The PKCS10 request can be sent to the CA via CMP or sent to the CA in a different way, such as email. Finally, a request can be made to revoke a signed certificate from a CA.
Creating a PKCS10 request.
In this example, a KeyPair is not specified and the
KeyPair is automatically created.
// Create a PKCS10 request.
PkEeFactory.setCA_DN("o=IBM,c=US"); // It will be appended to the
// Subject value in
// the newCertRequest to create
// the SubjectDN.
String subject = "cn=Test Group";
// Initialize a certificate request with the following defaults:
// keysize of 1024,
// valid for 365 days, RSA key with SHA1withRSA signature algorithm,
// Use the RFC 3280 Long form to create the Subject Key Identifier and
// create with no Subject Alternate Name, Key Usage or Extended Key Usage.
PkEeCertReqTransaction crt = PkEeCertReqFactory.newCertRequest
(subject, null, null, null);
// Initialize certificate request.
byte[] pkcs10req = crt.getPKCS10Req(); // Create DER encoded PKCS10 form
// of the certificate request from
// the parameters provided.
// Get the KeyPair which was used to create this PKCS10 reqest
KeyPair keypair = crt.getKeyPair();Producing a certificate transaction request, sending the request, and receiving a signed certificate
This request uses an existing PKCS#10 base64 formatted request. The request is sent to the CA for
signing and the signed certificate is
returned.
// Initialize a certificate request using an already
// created PKCS#10 request.
// Initialize the information required in order to access the CA
// Server which is to sign the certificate request.
PkEeFactory.setCaDn("example.com"); // Set the DN of the
// CA host.
// Default is "localhost".
PkEeFactory.setCaPort(1077); // Set the port to be used for
// communication with the
// CA. Default is 1077
PkEeFactory.setProvider("IBMJCE"); // Sets the Java Security
// provider. Defaults to "IBMJCE".
// certFile is the pathname of the file containing the certificate request
// in BASE64 format
// iaFile is the initial authorization file containing the reference
// number passphrase on consecutive lines
// revocation-password is the password which will be used if this
// certificate ever needs to be revoked in the future.
PkEeReqTransaction crt = PkEeCertReq10Factory.newCertRequestPKCS10
(certFile, iaFile, revocation-password);
// Send the request to the CA via CMP for processing
crt.actionRequest();
// Get the signed certificate which was returned from the CA
X509Certificate cert = crt.getSignedCert();Initializing and sending a certificate request transaction to the CA for signing
After sending the certificate request, this example receives the signed certificate and saves it
in the keystore provided. The certificate can be created with or without extensions. The extensions
can be supplied when the certificate request is initially created or any time before the certificate
is sent to the CA for signing. If you do not supply a private keyPair, a
keyPair is created. The signed certificate and the private key can be saved in
the keyStore
provided.
// Initialize a certificate request to the CA for signing.
// Initialize communication information for the CA Server to sign
// the certificate request, the keystore name and password and
// the name of Java Security provider which should be
// used.
PkEeFactory.setCaDn("example.com");// Set DN of CA host.
// Default is "localhost".
PkEeFactory.setCaPort(1077); // Set the port to be used for
// communication with the
// CA. Default is 1077
PkEeFactory.setCA_DN("o=IBM,c=US"); // It will be appended to the
// Subject value in
// the newCertRequest to create
// the SubjectDN.
PkEeFactory.setKeyStoreFilename("eeStore"); // The name of the keystore
// to be used
// when the signed certificate is
// saved into the keystore. Default
// is "eeStore". If the keystore does not
// exist, it will be created.
PkEeFactory.setKeyStorePwd("password".toCharArray());
// The KeyStore password. No Default.
PkEeFactory.setKeyStoreType("jks"); // The KeyStore type.
// Defaults to "jks".
PkEeFactory.setProvider("IBMJCE"); // Sets the Java Security
// provider. Defaults
// to "IBMJCE".
int keysize = 1024; // size of key
String subject = "CN=Test Group"; // relative DN for the subject.
// It will be
// prepended to the value of dn
// to create
// the Subject DN.
int validDays = 365; // period of certificate
// validity
String keyType="RSA"; // RSA key
String sigAlg = "SHA1withRSA" // signature algorithm
boolean useSSKid = true; // if true use short form of
// Subject Key Identifier
// else use long form
String dn = "o=IBM,c=US"; // Domain name to be used
// in certificate prepended to
// the value of subject. If
// null, PkEeFactory CA_DN will
// be used.
String[] acceptableUse = {"digital_signature", "non_repudiation",
"key_encipherment",
"data_encipherment", "encipher_only", "decipher_only" };
String[] acceptableExtUse = {"ServerAuth_Id", "ClientAuth_Id",
"CodeSigning_Id",
"EmailProtection_Id",
"IPSecEndSystem_Id", "IPSecTunnel_Id","IPSecUser_Id",
"TimeStamping_Id" };
String[] acceptableSan = { "newUser@us.ibm.com", "www.ibm.com",
"http://www.tivoli.com/index", "192.100.123.251" };
List<String> san = Arrays.asList(acceptableSan); // (optional) list of
// subject alternate
// names. Specify null
// to indicate
// no value is being
// specified.
List<String> kuse = Arrays.asList(acceptableUse); // (optional) list of
// Key Usage
// strings.
List<String> extkuse = Arrays.asList(acceptableExtUse); // (optional)
// list of Extended Key
// Usage strings.
String provider = "IBMJCE"; // name of the crypto
// provider to be used
// Create the certificate request with the requested extensions.
// The keypair will be created for you.
//
// iaFile is the initial authorization file containing the
// reference number and passphrase on consecutive lines
// revocation-password is the password to be used when revoking
// this certificate after it has been signed.
PkEeCertReqTransaction crt = PkEeCertReqFactory.newCertRequest
(keysize, subject, validDays,
keyType, sigAlg, useSSKid, san, kuse, extkuse, iaFile,
revocation-password, dn);
// Send the request to the CA via CMP for processing
crt.actionRequest();
// Get the signed certificate which was returned from the CA
X509Certificate cert = crt.getSignedCert();
// Get the private key which was created
PrivateKey key = crt.getKey();
// Get the public key which was created
PublicKey publicKey = crt.getPublicKey();
// Save the signed certificate along with the private key in the keystore.
// The keystore to be used is specified by PkEeFactory. The password to
// be used to open the keystore is specified by PkEeFactory too. The
// password specified when storing the entry is the password for the
// private key entry. It may be the same as the password for opening
// the keystore specified by PkEeFactory.setKeyStorePwd.
crt.storeNewEntry("alias", "keypwd");Revoking a signed certificate and sending the certificate revocation request to the CA
The certificate that is being revoked must be in EE's
keystore.
// Revoke a signed certificate
// Initialize communication information for the CA Server which will
// revoke the certificate request, also
// the Keystore name and password and name of Java Security provider which
// should be used.
PkEeFactory.setCaDn("example.com");// Set DN of CA host.
// Default is "localhost".
PkEeFactory.setCaPort(1077); // Set the port to be used for
// communication with the
// CA. Default is 1077
PkEeFactory.setKeyStoreFileName("eeStore"); // The name of the keystore
// which contains
// the certificate which is
// to be revoked.
// Default is "eeStore".
PkEeFactory.setKeyStorePwd("password".toCharArray()); // KeyStore password.
// No Default.
PkEeFactory.setKeyStoreType("jks"); // The KeyStore type.
// Defaults to "jks".
PkEeFactory.setProvider("IBMJCE"); // Sets the Java Security
// provider. Defaults
// to "IBMJCE".
// certAlias is the alias of the certificate being revoked. The EE
// keystore to be used is defined by PkEeFactory.
// certPwd is the password for the key in the KeyStore being revoked.
// revocation-reason is the reason for this revocation. The reason must
// be one of the following:
// "unspecified", "key compromise", "ca compromise",
// "affiliation changed",
// "superseded", "cessation of operation",
// "certificate hold" and "remove from crl".
// revocation-password is the password to revoke this certificate.
// This was the password supplied when
// the certificate request was requested.
PkEeTransaction revoke = PkEeRevokeFactory.newRevoke(certAlias, certPwd,
revocation-reason, revocation-password);
// Send the certificate revocation request to the CA via CMP for
// processing
revoke.actionRequest();