To add to the solution given by martijno,
Instead of writing your own content subscriber, JCAContentSigner can be used to avoid matching with AlgorithmIdentifier (i.e. OID).
JcaContentSignerBuilder accepts algorithm names as defined here .
X509v3CertificateBuilder certBuilder = new X509v3CertificateBuilder(issuer, serialNumber, startDate, expiryDate, subject, SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded())); JcaContentSignerBuilder builder = new JcaContentSignerBuilder("SHA256withRSA"); ContentSigner signer = builder.build(keyPair.getPrivate()); byte[] certBytes = certBuilder.build(signer).getEncoded(); CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); X509Certificate certificate = (X509Certificate)certificateFactory.generateCertificate(new ByteArrayInputStream(certBytes));
source share