This package can create a self-signed certificate with no extensions or with the requested extensions. The self-signed certificate and private key can be saved in the supplied key store. If a keyPair value is not supplied, a keyPair is created with the self-signed certificate generation request.

Creating a self-signed certificate with the supplied extensions.

In the following example, the keyPair is created for you.
// Create a self-signed certificate with the requested extensions.
int keysize = 192;                      // size of key
String keyType = "EC"                   // Valid key types are: RSA,DSA,EC. Not used if keyPair is provided.
String signatureAlgorithm = "SHA256withECDSA";   // signature algorithm
int validDays = 365;                    // period of certificate validity
Date notBefore = null;                  // Date that this certificate validity begins.
                                        // Must be no greater  than 3 days prior to the issuing UTC time. If null, 
                                        // current Date will be used.
boolean useSSKid = true;                // if true use short form of
                                        // Subject Key Identifier
                                        // else use long form
String subjectDN = "cn=test,o=Tivoli,c=US";
                                        // Distinguished name which will
                                        // be used for both the subject
                                        // and issuer of this certificate

String[] acceptableUse = {"digital_signature", "non_repudiation",
    "data_encipherment", "encipher_only", "decipher_only" };
String[] acceptableExtUse = {"ServerAuth_Id", "ClientAuth_Id",
    "CodeSigning_Id", "EmailProtection_Id",
    "IPSecEndSystem_Id", "IPSecTunnel_Id",
    "IPSecUser_Id", "TimeStamping_Id" };
String[] acceptableSan = { "", "",
    "", "" };

List<String> san = Arrays.asList(acceptableSan);   // (optional) list of
                                                   // subject alternate
                                                   // names.  Specify null
                                                   // to indicate
                                                   //no value is being
                                                   //  specified.
List<String> kuse = Arrays.asList(acceptableUse);  // (optional) list of
                                                   // Key Usage
                                                   // strings.
List<String> extkuse = Arrays.asList(acceptableExtUse);//(optional) list
                                                   // of Extended Key
                                                   // Usage strings.
String provider = "IBMJCE";                        // name of the crypto
                                                   // provider to be used
KeyPair keyPair = null;                            // keypair to use for private/public keys
                                                   // if null, keypair will be generated

boolean isCA =  true;                              // true - create this certificate as a CA with basic constraints
                                                   // false - create this certificate as an end-user without basic constraints

// Create the self-signed certificate with requested extensions
PkSsCertificate sscert = PkSsCertFactory.newSsCert(

PrivateKey key = sscert.getKey();   // Extract the private key for the
                                    // self-signed certificate
PublicKey publicKey = sscert.getPublicKey();  // Extract the public key
X509Certificate cert = sscert.getCertificate();  // Extract the self-signed
                                                 // certificate

// Create keystore
KeyStore store = KeyStore.getInstance("JKS");
store.load(null, PASSWORD.toCharArray());

// Save this self-signed certificate along with the private key
// in the keystore           
sscert.setToKeySTore("alias", "ksPassword", keystore);

Creating an X509Certificate from a PKCS10 certificate request by using the Pk10CertFactory.newCert( ) method

// Use the Key Cert Management class "PkEeReqFactory" to create
// a CertificateRequestTransaction from which a PKCS10 certificate request
// can be obtained.
PkEeCertReqTransaction crt = null;
try {
    crt = PkEeCertReqFactory.newCertRequest(
             keysize,    // Size of key.
                         // Not used if a keyPair is provided.
             subject,    // The Relative DN for the subject.
                         // Prepended to the value of "dn" to create the subject DN.
             validDays,  // Period of certificate validity.
             keyType     // valid key types are: RSA/DSA/EC
             signatureAlgorithm, // signature algorithm
             useShortSubjectKeyId,   // If true use short form of Subject Key Id
             san,        // List of subject alternate names.
             kuse,       // List of Key Usage strings.
             extkuse,    // List of Extended Key Usage strings.
             iafile,     // initial authorisation file
             revPwd,     // password to be used when revoking this certificate
             dn,         // domain name for certificate request.

} catch (Exception ex) {
    System.out.println("Exception thrown while creating PkEeCertReqTransaction.");

// Lift the PKCS10 certificate request from the CertificateRequestTransaction object
byte[] derPKCS10 = null;
try {
    derPKCS10 = crt.getPKCS10CertReq();
} catch (Exception ex) {
    System.out.println("Exception thrown while obtaining PKCS10 request.");

CertificationRequest cr = null;
try {
    // Create a CertificationRequest object
    cr = new CertificationRequest(derPKCS10);
    // Write the BASE64 encoded PKCS10 request to a file

} catch (Exception ex) {
    System.out.println("Exception thrown while writing PKCS10 request to file.");

Pk10Certificate myPk10Certificate = null;
X509Certificate myX509Certificate = null;
try {
    // Create the certificate from the certificate request
    Date notBeforeDate = Date();
    myPk10Certificate = Pk10CertFactory.newCert(PKCS10CertificateRequestFile,
    // Obtain the X509Certificate created from the Pk10Certificate object
    myX509Certificate = myPk10Certificate.getCertificate();
catch (PkRejectionException e)
    System.out.println("Exception thrown while creating certificate.");