问题描述
我有一个 Java 程序,它当前使用私有 JDK 类(CertAndKeyGen 和 X500Name)来生成自签名 X.509 证书.这种方法有太多问题:
I have a program in Java which currently uses private JDK classes (CertAndKeyGen and X500Name) to generate self-signed X.509 certificates.There are too many problems with this approach:
- 内部包不断变化:
- "sun.security.x509.CertAndKeyGen",//Oracle/Sun/OpenJDK 6,7
- "sun.security.tools.keytool.CertAndKeyGen",//Oracle/Sun/OpenJDK 8
- "com.ibm.security.x509.CertAndKeyGen",//IBM SDK 7
- "com.ibm.security.tools.CertAndKeyGen"//IBM SDK 8
- 显然 JDK 7 更新(u111?)最近更改了上面列出的包
我想将此代码转换为使用标准的、受支持的 JDK 类.
I would like to convert this code to use standard, supported JDK classes.
我曾考虑使用名称不正确的
CertificateFactory.generateCertificate()方法,但运气不佳:它们无法生成任何证书,只能加载现有证书.I have looked at using the ill-named
CertificateFactory.generateCertificate()methods, but no luck: they cannot generate any certificate, they are just able to load an existing one.有人知道可以生成自签名证书的标准 JDK API 吗?
Does anybody know a standard JDK API that can generate a self-signed certificate?
这是我所能做到的:
KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA"); generator.initialize(2048, SecureRandom.getInstance("SHA1WithRSA")); KeyPair keyPair = generator.generateKeyPair(); PrivateKey privatekey = keyPair.getPrivate(); X500Principal principal = new X500Principal(dn); CertificateFactory certFactory = CertificateFactory.getInstance("X.509"); // How to generate the self-signed certificate from there? // certFactory.generate(inputStream) // only able to load an existing certificate注意:
- 如果可能,我们不想引入对 bouncy-castle 的依赖
- 我已经知道
X509V3CertificateGenerator
推荐答案
好吧,那我猜它不存在.
Ok, then I guess it does not exist.
我提交给 JDK 的 RFE 已被接受,现在有一个官方错误:http://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8165481
The RFE I submitted to the JDK has been accepted and there is now an official bug for it: http://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8165481
这篇关于如何仅使用 JDK 支持的类生成自签名证书?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!
- 我已经知道