JDK-8058778 : New APIs for creating certificates and certificate requests
  • Type: New Feature
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 9
  • Priority: P3
  • Status: Open
  • Resolution: Unresolved
  • Submitted: 2014-09-19
  • Updated: 2020-01-23
Related Reports
Blocks :  
Duplicate :  
Relates :  
Relates :  
Relates :  
Sub Tasks
JDK-8146666 :  
Keytool includes functions that are not available through public APIs, but these tools were designed to be run by a human being and it's difficult to running them in an application. The enhancement intends to create new APIs that cover these functions, including

- -genkeypair, -gencert, and -certreq of keytool

A new interface Certificate.Builder will be added to build certificates and certificate requests. CertificateFactory will support creating a builder.
We can also support version 1 here.

Release note: A new Certificate.Builder interface to build certificate requests and certificate. A new CertificateFactory method to return a builder.

BTW, although the API is not finalized, it will look like this: KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA"); kpg.initialize(1024); KeyPair ca = kpg.generateKeyPair(); KeyPair user = kpg.generateKeyPair(); X509Certificate caCert = X509CertificateBuilder.fromKeyPair(ca) .subject(new X500Principal("CN=ca")) .validity(Instant.now(), Instant.now().plus(Period.ofDays(3650))) .addExtension("BasicConstraints", true, "") .signatureAlgorithm("SHA256withRSA") .selfSign(); byte[] request = X509CertificateBuilder.fromKeyPair(user) .subject(new X500Principal("CN=user")) .addExtension("KeyUsage", true, "digitalSignature,keyEncipherment") .request(); X509Certificate userCert = X509CertificateBuilder.asCA( ca.getPrivate(), caCert) .signatureAlgorithm("SHA1withRSA") .honorExtension("all") .sign(request);

Yes, though it will be a JDK (not SE) supported API.

Feedback from JOSM http://mail.openjdk.java.net/pipermail/jigsaw-dev/2015-October/005061.html Need replacement for sun.security.x509 internal API that is currently used to generate a self-signed certificate in order to create a local https server Would this RFE cover this requirement?

Read http://ccc.us.oracle.com/8058778 for design, still not final