在没有BouncyCastle的情况下用Java创建X509证书？

签署证书的能力不是标准Java库或扩展的一部分。

自己做的许多代码都是核心的一部分。 有些类可以编码和解码X.500名称，X.509证书扩展，各种算法的公钥，当然还有实际执行数字签名的类。

自己实现这个并不是微不足道的，但它绝对可行 – 我可能花了4到5天，这是我第一次为证书签名制作工作原型。 对我来说这是一个很棒的学习练习，但是当有免费的可用库时，很难certificate这笔费用是合理的。

是的，但没有公开记录的课程。 我在本文中记录了这个过程。

import sun.security.x509.*; import java.security.cert.*; import java.security.*; import java.math.BigInteger; import java.util.Date; import java.io.IOException /**  * Create a self-signed X.509 Certificate  * @param dn the X.509 Distinguished Name, eg "CN=Test, L=London, C=GB"  * @param pair the KeyPair  * @param days how many days from now the Certificate is valid for  * @param algorithm the signing algorithm, eg "SHA1withRSA"  */ X509Certificate generateCertificate(String dn, KeyPair pair, int days, String algorithm)  throws GeneralSecurityException, IOException {  PrivateKey privkey = pair.getPrivate();  X509CertInfo info = new X509CertInfo();  Date from = new Date();  Date to = new Date(from.getTime() + days * 86400000l);  CertificateValidity interval = new CertificateValidity(from, to);  BigInteger sn = new BigInteger(64, new SecureRandom());  X500Name owner = new X500Name(dn);   info.set(X509CertInfo.VALIDITY, interval);  info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(sn));  info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(owner));  info.set(X509CertInfo.ISSUER, new CertificateIssuerName(owner));  info.set(X509CertInfo.KEY, new CertificateX509Key(pair.getPublic()));  info.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));  AlgorithmId algo = new AlgorithmId(AlgorithmId.md5WithRSAEncryption_oid);  info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(algo));   // Sign the cert to identify the algorithm that's used.  X509CertImpl cert = new X509CertImpl(info);  cert.sign(privkey, algorithm);   // Update the algorith, and resign.  algo = (AlgorithmId)cert.get(X509CertImpl.SIG_ALG);  info.set(CertificateAlgorithmId.NAME + "." + CertificateAlgorithmId.ALGORITHM, algo);  cert = new X509CertImpl(info);  cert.sign(privkey, algorithm);  return cert; } 

 import sun.security.x509.*; import java.security.cert.*; import java.security.*; import java.math.BigInteger; import java.security.cert.Certificate; import java.util.Date; import java.io.IOException; public class Example { /** * Create a self-signed X.509 Example * * @param dn the X.509 Distinguished Name, eg "CN=Test, L=London, C=GB" * @param pair the KeyPair * @param days how many days from now the Example is valid for * @param algorithm the signing algorithm, eg "SHA1withRSA" */ public X509Certificate generateCertificate(String dn, KeyPair pair, int days, String algorithm) throws GeneralSecurityException, IOException { PrivateKey privkey = pair.getPrivate(); X509CertInfo info = new X509CertInfo(); Date from = new Date(); Date to = new Date(from.getTime() + days * 86400000l); CertificateValidity interval = new CertificateValidity(from, to); BigInteger sn = new BigInteger(64, new SecureRandom()); X500Name owner = new X500Name(dn); info.set(X509CertInfo.VALIDITY, interval); info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(sn)); info.set(X509CertInfo.SUBJECT, owner); info.set(X509CertInfo.ISSUER, owner); info.set(X509CertInfo.KEY, new CertificateX509Key(pair.getPublic())); info.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3)); AlgorithmId algo = new AlgorithmId(AlgorithmId.md5WithRSAEncryption_oid); info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(algo)); // Sign the cert to identify the algorithm that's used. X509CertImpl cert = new X509CertImpl(info); cert.sign(privkey, algorithm); // Update the algorith, and resign. algo = (AlgorithmId) cert.get(X509CertImpl.SIG_ALG); info.set(CertificateAlgorithmId.NAME + "." + CertificateAlgorithmId.ALGORITHM, algo); cert = new X509CertImpl(info); cert.sign(privkey, algorithm); return cert; } public static void main (String[] argv) throws Exception { KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA"); KeyPair keyPair = keyPairGenerator.generateKeyPair(); Example example = new Example(); String distinguishedName = "CN=Test, L=London, C=GB"; Certificate certificate = example.generateCertificateOriginal(distinguishedName, keyPair, 365, "SHA256withRSA"); System.out.println("it worked!"); } } 

我喜欢vbence的答案，但我一直得到以下exception：

java.security.cert.CertificateException：主题类类型无效。

经过多次尝试找出有效的主题类后，我发现X509CerInfo想要一个X500Name的实例。

 1 info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(sn)); 2 info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(owner)); 3 info.set(X509CertInfo.ISSUER, new CertificateIssuerName(owner)); 4 info.set(X509CertInfo.KEY, new CertificateX509Key(pair.getPublic())); 

所以第2和第3行需要改为

 2 info.set(X509CertInfo.SUBJECT, owner); 3 info.set(X509CertInfo.ISSUER, owner); 

JRE中提供了制作自签名证书（签名，X509编码等）的所有基本组件。 与BC不同，Sun的JCE不提供签署证书的任何公共电话。 但是，Keytool中提供了所有function。 您只需从keytool复制代码即可。 您需要复制的方法是doSelfCert() 。

取决于你想要做什么（可能你的定义是“Sanely”）。 正如ZZ Coder所指出的，您可以通过复制keytool直接创建自签名证书。 但我不相信您可以使用标准JCE创建PKCS10证书请求对象，如果要创建标准的CA签名EEC，则可能需要执行此操作。