Mister PKI

All things PKI, HTTPS, SSL, TLS, Digital Certificates

by Leave a Comment

This post demonstrates how to generate a self-signed certificate with Java and BouncyCastle. There are numerous posts online about how to generate a self-signed certificate using the Java Keytool, so I won’t cover that here. Instead, you may be looking for how to generate a self-signed certificate programmatically using Java. I’ve written an example using the BouncyCastle library (https://www.bouncycastle.org/).

Using Java and BouncyCastle

Steps to create the self-signed certificate with Java and BouncyCastle:

  • Create a validity period of not before and not after based on the current Instant and given amount of days.
  • Use the BouncyCastle JcaContentSignerBuilder with the given PrivateKey to sign the certificate to be built.
  • The X500Name should be the common name (Fully Qualified Domain Name (FQDN) of the server or any name if a client cert).
  • Use the BouncyCastle X509v3CertificateBuilder to build the certificate.
  • Add subject key id, authority key id, and basic constraint extensions to the builder.
  • Return the self-signed certificate.
public static X509Certificate generate(final KeyPair keyPair,
                                         final String hashAlgorithm,
                                         final String cn,
                                         final int days)
    throws OperatorCreationException, CertificateException, CertIOException
  {
    final Instant now = Instant.now();
    final Date notBefore = Date.from(now);
    final Date notAfter = Date.from(now.plus(Duration.ofDays(days)));

    final ContentSigner contentSigner = new JcaContentSignerBuilder(hashAlgorithm).build(keyPair.getPrivate());
    final X500Name x500Name = new X500Name("CN=" + cn);
    final X509v3CertificateBuilder certificateBuilder =
      new JcaX509v3CertificateBuilder(x500Name,
        BigInteger.valueOf(now.toEpochMilli()),
        notBefore,
        notAfter,
        x500Name,
        keyPair.getPublic())
        .addExtension(Extension.subjectKeyIdentifier, false, createSubjectKeyId(keyPair.getPublic()))
        .addExtension(Extension.authorityKeyIdentifier, false, createAuthorityKeyId(keyPair.getPublic()))
        .addExtension(Extension.basicConstraints, true, new BasicConstraints(true));

    return new JcaX509CertificateConverter()
      .setProvider(new BouncyCastleProvider()).getCertificate(certificateBuilder.build(contentSigner));
  }

The complete working program is in my github repo: https://github.com/misterpki/selfsignedcert

There exist other ways to programmatically do this in both Java and other languages. Please leave comments, ask questions, and leave feedback if interested in learning other ways to programmatically create a self-signed certificate.

Read all blog content.

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *