Package com.ibm.security.certclient.util
This package can create a self-signed certificate with no extensions or with the requested extensions. The self-signed certificate and private key can be saved in the supplied key store. If a keyPair value is not supplied, a keyPair is created with the self-signed certificate generation request.
Creating a self-signed certificate with the supplied extensions.
In the following example, the keyPair is created for
you.
// Create a self-signed certificate with the requested extensions.
int keysize = 192; //size of key. Use -1 for PQC algorithms which will be ignored
String keyType = "EC" // Valid key types are: RSA, DSA, EC, EdDSA,
// ML-DSA-44, ML-DSA-65, ML-DSA-87. Not used if keyPair is provided.
String signatureAlgorithm = "SHA256withECDSA"; // signature algorithm
int validDays = 365; // period of certificate validity
Date notBefore = null; // Date that this certificate validity begins.
// Must be no greater than 3 days prior to the issuing UTC time. If null,
// current Date will be used.
boolean useSSKid = true; // if true use short form of
// Subject Key Identifier
// else use long form
String subjectDN = "cn=test,o=Tivoli,c=US";
// Distinguished name which will
// be used for both the subject
// and issuer of this certificate
String[] acceptableUse = {"digital_signature", "non_repudiation",
"key_encipherment",
"data_encipherment", "encipher_only", "decipher_only" };
String[] acceptableExtUse = {"ServerAuth_Id", "ClientAuth_Id",
"CodeSigning_Id", "EmailProtection_Id",
"IPSecEndSystem_Id", "IPSecTunnel_Id",
"IPSecUser_Id", "TimeStamping_Id" };
String[] acceptableSan = { "newUser@us.ibm.com", "www.ibm.com",
"http://www.tivoli.com/index", "192.100.123.251" };
List<String> san = Arrays.asList(acceptableSan); // (optional) list of
// subject alternate
// names. Specify null
// to indicate
//no value is being
// specified.
List<String> kuse = Arrays.asList(acceptableUse); // (optional) list of
// Key Usage
// strings.
List<String> extkuse = Arrays.asList(acceptableExtUse);//(optional) list
// of Extended Key
// Usage strings.
String provider = "IBMJCEPlus"; // name of the crypto provider to be used. EdDSA and PQC algorithms are available only with IBMJCEPlus. Can be null.
KeyPair keyPair = null; // keypair to use for private/public keys
// if null, keypair will be generated
boolean isCA = true; // true - create this certificate as a CA with basic constraints
// false - create this certificate as an end-user without basic constraints
// Create the self-signed certificate with requested extensions
PkSsCertificate sscert = PkSsCertFactory.newSsCert(
keysize,
keyType,
signatureAlgorithm,
subjectDN,
validDays,
notBefore,
useSSKid,
san,
kuse,
extkuse,
provider,
keyPair,
isCA);
PrivateKey key = sscert.getKey(); // Extract the private key for the
// self-signed certificate
PublicKey publicKey = sscert.getPublicKey(); // Extract the public key
X509Certificate cert = sscert.getCertificate(); // Extract the self-signed
// certificate
// Create keystore
KeyStore store = KeyStore.getInstance("JKS");
store.load(null, PASSWORD.toCharArray());
// Save this self-signed certificate along with the private key
// in the keystore
sscert.setToKeySTore("alias", "ksPassword", keystore);Creating an X509Certificate from a PKCS10 certificate request by using the Pk10CertFactory.newCert( ) method
// Use the Key Cert Management class "PkEeReqFactory" to create
// a CertificateRequestTransaction from which a PKCS10 certificate request
// can be obtained.
PkEeCertReqTransaction crt = null;
try {
crt = PkEeCertReqFactory.newCertRequest(
keysize, // Size of key.
// Not used if a keyPair is provided.
subject, // The Relative DN for the subject.
// Prepended to the value of "dn" to create the subject DN.
validDays, // Period of certificate validity.
keyType // valid key types are: RSA, DSA, EC, EdDSA, ML-DSA-44, ML-DSA-65, ML-DSA-87
signatureAlgorithm, // signature algorithm
useShortSubjectKeyId, // If true use short form of Subject Key Id
san, // List of subject alternate names.
kuse, // List of Key Usage strings.
extkuse, // List of Extended Key Usage strings.
iafile, // initial authorisation file
revPwd, // password to be used when revoking this certificate
dn, // domain name for certificate request.
);
} catch (Exception ex) {
System.out.println("Exception thrown while creating PkEeCertReqTransaction.");
}
// Lift the PKCS10 certificate request from the CertificateRequestTransaction object
byte[] derPKCS10 = null;
try {
derPKCS10 = crt.getPKCS10CertReq();
} catch (Exception ex) {
System.out.println("Exception thrown while obtaining PKCS10 request.");
}
CertificationRequest cr = null;
try {
// Create a CertificationRequest object
cr = new CertificationRequest(derPKCS10);
// Write the BASE64 encoded PKCS10 request to a file
cr.writeBASE64(PKCS10CertificateRequestFile);
} catch (Exception ex) {
System.out.println("Exception thrown while writing PKCS10 request to file.");
}
Pk10Certificate myPk10Certificate = null;
X509Certificate myX509Certificate = null;
try {
// Create the certificate from the certificate request
Date notBeforeDate = Date();
myPk10Certificate = Pk10CertFactory.newCert(PKCS10CertificateRequestFile,
(Date)notBeforeDate,
365,
(X509Certificate)signersCert,
(PrivateKey)signersPrivateKey);
// Obtain the X509Certificate created from the Pk10Certificate object
myX509Certificate = myPk10Certificate.getCertificate();
}
catch (PkRejectionException e)
{
System.out.println("Exception thrown while creating certificate.");
}Signing a certificate by using Post-Quantum Cryptography (PQC) algorithm ML-DSA-65, where the certificate contains ML-KEM-512 public key
// Create certificate extension lists
List<String> keyUsage = Arrays.asList(
"digital_signature", "non_repudiation", "key_encipherment", "data_encipherment"
);
List<String> extKeyUsage = Arrays.asList(
"ServerAuth_Id", "ClientAuth_Id", "EmailProtection_Id"
);
List<String> subjectAltNames = Arrays.asList(
"user@example.com", "www.example.com"
);
// Step 1: Generate ML-DSA-65 key pair for CA certificate
KeyPairGenerator caKeyPairGen = KeyPairGenerator.getInstance("ML-DSA-65", "IBMJCEPlus");
KeyPair caKeyPair = caKeyPairGen.generateKeyPair();
// Step 2: Create self-signed CA certificate using ML-DSA-65
PkSsCertificate caCert = PkSsCertFactory.newSsCert(
-1, // Key size (ignored for PQC)
"CN=PQC Sample CA, O=IBM, C=US", // Subject DN
365, // Validity period in days
null, // Date that this certificate validity begins
false, // Use RSA (ignored for PQC)
true, // Use short form of Subject Key Id else use long form
subjectAltNames, // Subject Alternative Names
keyUsage, // Key Usage
extKeyUsage, // Extended Key Usage
"IBMJCEPlus", // Provider
caKeyPair, // Key pair
true // Is CA
);
// Step 3: Generate ML-KEM-512 key pair for end-entity certificate
KeyPairGenerator endEntityKeyPairGen = KeyPairGenerator.getInstance("ML-KEM-512", "IBMJCEPlus");
KeyPair endEntityKeyPair = endEntityKeyPairGen.generateKeyPair();
// Step 4: Get CA certificate and private key for signing
X509Certificate[] caChain = new X509Certificate[1];
caChain[0] = caCert.getCertificate();
PrivateKey caPrivateKey = caCert.getKey();
// Step 5: Create end-entity certificate signed by CA
PkNewCertificate endEntityCert = PkNewCertFactory.newCert(
-1, // Key size (ignored for PQC)
"CN=PQC Sample End Entity, O=IBM, C=US", // Subject DN
365, // Validity period in days
null, // Date that this certificate validity begins
true, // Use short form of Subject Key Id else use long form
subjectAltNames, // Subject Alternative Names
keyUsage, // Key Usage
extKeyUsage, // Extended Key Usage
"IBMJCEPlus", // Provider
endEntityKeyPair, // Key pair
caChain, // CA certificate chain
caPrivateKey // CA private key
);