JDK-8058778 : New APIs for creating certificates and certificate requests
  • Type: New Feature
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 9
  • Priority: P3
  • Status: Closed
  • Resolution: Won't Fix
  • Submitted: 2014-09-19
  • Updated: 2024-04-18
  • Resolved: 2024-04-18
Related Reports
Blocks :  
JDK-8143368 - Document JarSigner and X509CertificateBuilder
Duplicate :  
JDK-8165481 - Provide an API for generating certificates
Relates :  
JDK-8062515 - Migrate use of sun.security.** to supported API
Relates :  
JDK-6539136 - Add KeyTool and JarSigner as JSR 199 Tools
Relates :  
JDK-8056174 - New APIs for jar signing
Relates :  
JDK-8304556 - Add public API for generating self signed X.509 certificates
Relates :  
JDK-8157109 - Support version 1 cert generation in keytool
Sub Tasks
JDK-8146666 :  
Create a section for CertificateRequest in StandardNames.html - Resolved
Description
Keytool includes functions that are not available through public APIs, but these tools were designed to be run by a human being and it's difficult to running them in an application. The enhancement intends to create new APIs that cover these functions, including

- -genkeypair, -gencert, and -certreq of keytool

A new interface Certificate.Builder will be added to build certificates and certificate requests. CertificateFactory will support creating a builder.
Comments
Closing as "Won't Fix". We have no plans to provide APIs for creating certificates. The "keytool -gencert" option can be used to create certificates and is the only mechanism that we will support.
18-04-2024
We can also support version 1 here.
17-05-2016
Release note: A new Certificate.Builder interface to build certificate requests and certificate. A new CertificateFactory method to return a builder.
07-01-2016
BTW, although the API is not finalized, it will look like this: KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA"); kpg.initialize(1024); KeyPair ca = kpg.generateKeyPair(); KeyPair user = kpg.generateKeyPair(); X509Certificate caCert = X509CertificateBuilder.fromKeyPair(ca) .subject(new X500Principal("CN=ca")) .validity(Instant.now(), Instant.now().plus(Period.ofDays(3650))) .addExtension("BasicConstraints", true, "") .signatureAlgorithm("SHA256withRSA") .selfSign(); byte[] request = X509CertificateBuilder.fromKeyPair(user) .subject(new X500Principal("CN=user")) .addExtension("KeyUsage", true, "digitalSignature,keyEncipherment") .request(); X509Certificate userCert = X509CertificateBuilder.asCA( ca.getPrivate(), caCert) .signatureAlgorithm("SHA1withRSA") .honorExtension("all") .sign(request);
05-11-2015
Yes, though it will be a JDK (not SE) supported API.
30-10-2015
Feedback from JOSM http://mail.openjdk.java.net/pipermail/jigsaw-dev/2015-October/005061.html Need replacement for sun.security.x509 internal API that is currently used to generate a self-signed certificate in order to create a local https server Would this RFE cover this requirement?
30-10-2015
Read http://ccc.us.oracle.com/8058778 for design, still not final
16-06-2015