public final class CertAndKeyGen
extends java.lang.Object
This provides some simple certificate management functionality. Specifically, it allows you to create self-signed X.509 certificates as well as PKCS 10 based certificate signing requests.
Keys for some public key signature algorithms have algorithm parameters, such as DSS/DSA. Some sites' Certificate Authorities adopt fixed algorithm parameters, which speeds up some operations including key generation and signing. At this time, this interface does not provide a way to provide such algorithm parameters, e.g. by providing the CA certificate which includes those parameters.
Also, note that at this time only signature-capable keys may be acquired through this interface. Diffie-Hellman keys, used for secure key exchange, may be supported later.
PKCS10
,
X509CertImpl
Constructor and Description |
---|
CertAndKeyGen(java.lang.String keyType,
java.lang.String sigAlg)
Creates a CertAndKeyGen object for a particular key type
and signature algorithm.
|
Modifier and Type | Method and Description |
---|---|
void |
generate(int keyBits)
Generates a random public/private key pair, with a given key
size.
|
PKCS10 |
getCertRequest(X500Name myname)
Returns a PKCS #10 certificate request.
|
java.security.PrivateKey |
getPrivateKey()
Returns the private key of the generated key pair.
|
X509Key |
getPublicKey()
Returns the public key of the generated key pair.
|
X509Cert |
getSelfCert(X500Name myname,
long validity)
Deprecated.
Use the new
getSelfCertificate(X500Name, long) |
java.security.cert.X509Certificate |
getSelfCertificate(X500Name myname,
long validity)
Returns a self-signed X.509v3 certificate for the public key.
|
void |
setRandom(java.security.SecureRandom generator)
Deprecated.
All random numbers come from PKCS #11 now.
|
public CertAndKeyGen(java.lang.String keyType, java.lang.String sigAlg) throws java.security.NoSuchAlgorithmException
keyType
- type of key, e.g. "RSA", "DSA"sigAlg
- name of the signature algorithm, e.g. "MD5WithRSA",
"MD2WithRSA", "SHAwithDSA".java.security.NoSuchAlgorithmException
- on unrecognized algorithms.@Deprecated public void setRandom(java.security.SecureRandom generator)
public void generate(int keyBits) throws java.security.InvalidKeyException
Note that not all values of "keyBits" are valid for all algorithms, and not all public key algorithms are currently supported for use in X.509 certificates. If the algorithm you specified does not produce X.509 compatible keys, an invalid key exception is thrown.
keyBits
- the number of bits in the keys.java.security.InvalidKeyException
- if the environment does not
provide X.509 public keys for this signature algorithm.public X509Key getPublicKey()
public java.security.PrivateKey getPrivateKey()
Be extremely careful when handling private keys. When private keys are not kept secret, they lose their ability to securely authenticate specific entities ... that is a huge security risk!
@Deprecated public X509Cert getSelfCert(X500Name myname, long validity) throws java.security.InvalidKeyException, java.security.SignatureException, java.security.NoSuchAlgorithmException
getSelfCertificate(X500Name, long)
Such certificates normally are used to identify a "Certificate Authority" (CA). Accordingly, they will not always be accepted by other parties. However, such certificates are also useful when you are bootstrapping your security infrastructure, or deploying system prototypes.
myname
- X.500 name of the subject (who is also the issuer)validity
- how long the certificate should be valid, in secondsjava.security.InvalidKeyException
java.security.SignatureException
java.security.NoSuchAlgorithmException
public java.security.cert.X509Certificate getSelfCertificate(X500Name myname, long validity) throws java.security.cert.CertificateException, java.security.InvalidKeyException, java.security.SignatureException, java.security.NoSuchAlgorithmException, java.security.NoSuchProviderException
Such certificates normally are used to identify a "Certificate Authority" (CA). Accordingly, they will not always be accepted by other parties. However, such certificates are also useful when you are bootstrapping your security infrastructure, or deploying system prototypes.
myname
- X.500 name of the subject (who is also the issuer)validity
- how long the certificate should be valid, in secondsjava.security.cert.CertificateException
- on certificate handling errors.java.security.InvalidKeyException
- on key handling errors.java.security.SignatureException
- on signature handling errors.java.security.NoSuchAlgorithmException
- on unrecognized algorithms.java.security.NoSuchProviderException
- on unrecognized providers.public PKCS10 getCertRequest(X500Name myname) throws java.security.InvalidKeyException, java.security.SignatureException
PKCS10.print
or
PKCS10.toByteArray
operations on the result, to get the request in an appropriate
transmission format.
PKCS #10 certificate requests are sent, along with some proof of identity, to Certificate Authorities (CAs) which then issue X.509 public key certificates.
myname
- X.500 name of the subjectjava.security.InvalidKeyException
- on key handling errors.java.security.SignatureException
- on signature handling errors.