com.ibm.security.certclient.util

Class PkNewCertFactory


  • public final class PkNewCertFactory
extends Object
    Generate a certificate signed with specified signing certificate.

    • Method Detail

      • newCert

        public static PkNewCertificate newCert(String subjectDN,
                                       X509Certificate[] signing_cert_chain,
                                       PrivateKey signing_cert_private_key)
                                throws com.ibm.security.certclient.base.PkRejectionException
        Most simple way to generate a personal certificate signed by a signing certificate. Uses all default values:
        • version = 3
        • keysize = 1024
        • validity period = 365 days from current date
        • subjectKeyId version = long
        • provider = IBMJCE
        Parameters:
        subjectDN - Distinguished name which will be the subject for this certificate
        signing_cert_chain - X509Certificate signing chain
        signing_cert_private_key - Private key to sign personal certificate which is being created
        Returns:
        a PkNewCertificate type object that implements a personal certificate with the provided attributes signed by specified signing certificate
        Throws:
        com.ibm.security.certclient.base.PkRejectionException

      • newCert

        public static PkNewCertificate newCert(int keySize,
                                       String subjectDN,
                                       int numValidDays,
                                       Date notBefore,
                                       boolean useShortSubjectKId,
                                       String provider,
                                       X509Certificate[] signing_cert_chain,
                                       PrivateKey signing_cert_private_key)
                                throws com.ibm.security.certclient.base.PkRejectionException
        Create a personal certificate without any supplied extensions
        Parameters:
        keySize - size of key.
        subjectDN - Distinguished name which will be both subject for this certificate
        numValidDays - period of certificate validity. Will be measured from notBefore date.
        notBefore - Date that this certificate valitity begins. Must be no greater than 3 days prior to the issuing UTC time. If null, current Date will be used.
        useShortSubjectKId - if true use short form of Subject Key Id else use long form
        provider - name of crypto provider
        signing_cert_chain - X509Certificate signing chain
        signing_cert_private_key - Private key to sign personal certificate which is being created
        Returns:
        a PkNewCertificate type object that implements a personal certificate with the provided attributes signed by specified signing certificate
        Throws:
        com.ibm.security.certclient.base.PkRejectionException

      • newCert

        public static PkNewCertificate newCert(int keySize,
                                       String subjectDN,
                                       int numValidDays,
                                       Date notBefore,
                                       boolean useShortSubjectKId,
                                       String provider,
                                       KeyPair keyPair,
                                       X509Certificate[] signing_cert_chain,
                                       PrivateKey signing_cert_private_key)
                                throws com.ibm.security.certclient.base.PkRejectionException
        Create a personal certificate without any supplied extensions
        Parameters:
        keySize - size of key. Not used if keyPair is provided.
        subjectDN - Distinguished name which will be both subject and issuer for this certificate
        numValidDays - period of certificate validity. Will be measured from notBefore date.
        notBefore - Date that this certificate valitity begins. Must be no greater than 3 days prior to the issuing UTC time. If null, current Date will be used.
        useShortSubjectKId - if true use short form of Subject Key Id else use long form
        provider - name of crypto provider
        keyPair - keypair to use for private/public key
        signing_cert_chain - X509Certificate signing chain
        signing_cert_private_key - Private key to sign personal certificate which is being created
        Returns:
        a PkNewCertificate type object that implements a personal certificate with the provided attributes signed by specified signing certificate
        Throws:
        com.ibm.security.certclient.base.PkRejectionException

      • newCert

        public static PkNewCertificate newCert(int keySize,
                                       String subjectDN,
                                       int numValidDays,
                                       Date notBefore,
                                       boolean useShortSubjectKId,
                                       List<String> subjectAltNames,
                                       List<String> kUsage,
                                       List<String> extKUsage,
                                       String provider,
                                       X509Certificate[] signing_cert_chain,
                                       PrivateKey signing_cert_private_key)
                                throws com.ibm.security.certclient.base.PkRejectionException
        Create a personal certificate with supplied extensions
        Parameters:
        keySize - size of key.
        subjectDN - Distinguished name which will be both subject for this certificate
        numValidDays - period of certificate validity. Will be measured from notBefore date.
        notBefore - Date that this certificate valitity begins. Must be no greater than 3 days prior to the issuing UTC time. If null, current Date will be used.
        useShortSubjectKId - if true use short form of Subject Key Id else use long form
        subjectAltNames - (optional)list of subject alternate names. Specify null to indicate that no value is being specified.
        1. email addresses for the subject; a comma separated list of email addresses, e.g. newUser@us.ibm.com, anotherUser@us.ibm.com
        2. dnsNames domain name server names; a comma separated list of dnsNames. Names are not case sensitive. e.g host.domain, host2.domain2
        3. uris universal resource identifiers; a comma separated list of URIs, e.g http://www.tivoli.com, ftp://www.ibm.com/
        4. ipaddresses IP addresses for the subject; a comma separated list of IP addresses, e.g. 127.0.0.1, 127.0.0.2
        kUsage - (optional)list of Key Usage strings. Acceptable values are- "digital_signature" "non_repudiation" "key_encipherment" "data_encipherment" "encipher_only" "decipher_only"
        extKUsage - (optional)list of Extended Key Usage strings. Acceptable values are- "ServerAuth_Id" "ClientAuth_Id" "CodeSigning_Id" "EmailProtection_Id" "IPSecEndSystem_Id" "IPSecTunnel_Id" "IPSecUser_Id" "TimeStamping_Id"
        provider - name of crypto provider
        signing_cert_chain - X509Certificate signing chain
        signing_cert_private_key - Private key to sign personal certificate which is being created
        Returns:
        a PkNewCertificate type object that implements a personal certificate with the provided attributes signed by specified signing certificate
        Throws:
        com.ibm.security.certclient.base.PkRejectionException

      • newCert

        public static PkNewCertificate newCert(int keySize,
                                       String subjectDN,
                                       int numValidDays,
                                       Date notBefore,
                                       boolean useShortSubjectKId,
                                       List<String> subjectAltNames,
                                       List<String> kUsage,
                                       List<String> extKUsage,
                                       String provider,
                                       KeyPair keyPair,
                                       X509Certificate[] signing_cert_chain,
                                       PrivateKey signing_cert_private_key)
                                throws com.ibm.security.certclient.base.PkRejectionException
        Create a personal certificate with supplied extensions
        Parameters:
        keySize - size of key. Not used if keyPair is provided.
        subjectDN - Distinguished name which will be both subject for this certificate
        numValidDays - period of certificate validity. Will be measured from notBefore date.
        notBefore - Date that this certificate valitity begins. Must be no greater than 3 days prior to the issuing UTC time. If null, current Date will be used.
        useShortSubjectKId - if true use short form of Subject Key Id else use long form
        subjectAltNames - (optional)list of subject alternate names. Specify null to indicate that no value is being specified.
        1. email addresses for the subject; a comma separated list of email addresses, e.g. newUser@us.ibm.com, anotherUser@us.ibm.com
        2. dnsNames domain name server names; a comma separated list of dnsNames. Names are not case sensitive. e.g host.domain, host2.domain2
        3. uris universal resource identifiers; a comma separated list of URIs, e.g http://www.tivoli.com, ftp://www.ibm.com/
        4. ipaddresses IP addresses for the subject; a comma separated list of IP addresses, e.g. 127.0.0.1, 127.0.0.2
        kUsage - (optional)list of Key Usage strings. Acceptable values are- "digital_signature" "non_repudiation" "key_encipherment" "data_encipherment" "encipher_only" "decipher_only"
        extKUsage - (optional)list of Extended Key Usage strings. Acceptable values are- "ServerAuth_Id" "ClientAuth_Id" "CodeSigning_Id" "EmailProtection_Id" "IPSecEndSystem_Id" "IPSecTunnel_Id" "IPSecUser_Id" "TimeStamping_Id"
        provider - name of crypto provider
        keyPair - keypair to use for private/public keys if null, keypair will be generated
        signing_cert_chain - X509Certificate signing chain
        signing_cert_private_key - Private key to sign personal certificate which is being created
        Returns:
        a PkNewCertificate type object that implements a personal certificate with the provided attributes signed by specified signing certificate
        Throws:
        com.ibm.security.certclient.base.PkRejectionException

      • newCert

        public static PkNewCertificate newCert(int keySize,
                                       String subjectDN,
                                       int numValidDays,
                                       Date notBefore,
                                       boolean useShortSubjectKId,
                                       List<String> subjectAltNames,
                                       List<String> kUsage,
                                       List<String> extKUsage,
                                       String provider,
                                       KeyPair keyPair,
                                       X509Certificate[] signing_cert_chain,
                                       PrivateKey signing_cert_private_key,
                                       boolean CA)
                                throws com.ibm.security.certclient.base.PkRejectionException
        Create a personal certificate with supplied extensions
        Parameters:
        keySize - size of key. Not used if keyPair is provided.
        subjectDN - Distinguished name which will be both subject for this certificate
        numValidDays - period of certificate validity. Will be measured from notBefore date.
        notBefore - Date that this certificate valitity begins. Must be no greater than 3 days prior to the issuing UTC time. If null, current Date will be used.
        useShortSubjectKId - if true use short form of Subject Key Id else use long form
        subjectAltNames - (optional)list of subject alternate names. Specify null to indicate that no value is being specified.
        1. email addresses for the subject; a comma separated list of email addresses, e.g. newUser@us.ibm.com, anotherUser@us.ibm.com
        2. dnsNames domain name server names; a comma separated list of dnsNames. Names are not case sensitive. e.g host.domain, host2.domain2
        3. uris universal resource identifiers; a comma separated list of URIs, e.g http://www.tivoli.com, ftp://www.ibm.com/
        4. ipaddresses IP addresses for the subject; a comma separated list of IP addresses, e.g. 127.0.0.1, 127.0.0.2
        kUsage - (optional)list of Key Usage strings. Acceptable values are- "digital_signature" "non_repudiation" "key_encipherment" "data_encipherment" "encipher_only" "decipher_only"
        extKUsage - (optional)list of Extended Key Usage strings. Acceptable values are- "ServerAuth_Id" "ClientAuth_Id" "CodeSigning_Id" "EmailProtection_Id" "IPSecEndSystem_Id" "IPSecTunnel_Id" "IPSecUser_Id" "TimeStamping_Id"
        provider - name of crypto provider
        keyPair - keypair to use for private/public keys if null, keypair will be generated
        signing_cert_chain - X509Certificate signing chain
        signing_cert_private_key - Private key to sign personal certificate which is being created
        CA - true - create this certificate as a CA with basic constraints false - create this certificate as an end-user without basic constraints
        Returns:
        a PkNewCertificate type object that implements a personal certificate with the provided attributes signed by specified signing certificate
        Throws:
        com.ibm.security.certclient.base.PkRejectionException

      • getTrimmedSanValues

        public static String[] getTrimmedSanValues(String multipleSanValues)
        Convert a String of separated values to an array of String values. Delimiter ","
        Parameters:
        multipleSanValues -
        Returns:
Skip navigation links

© Copyright IBM Corp. 1998, 2021 All Rights Reserved.