All geek questions in one place

Obtaining a Certificate Chain

I work with X509 certificates in Java. Given the certificate, is it possible to find all other certificates in the signature hierarchy until you reach the root certificate?

I have a certificate file (with the extension .cer ) and I want to extract the parent signing certificate. I want to continue searching for the parent of this certificate until I get the final root certificate, which is itself signed.

I checked the X509Certificate Certificate API and the corresponding APIs in java.security.cert , but could not find anything useful.

+6
source share
1 answer

This is not difficult - if you somehow / out of range have received all the intermediate certificates and the root certificate in one or more key chains.

Take a look

 http://codeautomate.org/blog/2012/02/certificate-validation-using-java/

for compressed code that does just that. The key bit is in validateKeyChain () and consists mainly of

  cert = cert-to-validate while(not self signed) { extract issuer from cert scan keychain(s) to find cert with a subject equal to the issuer if none found - error check if the signature is correct. cert = issuers_cert } if not at the top/root - error

As for getting intermediate / root certificates - this is another problem. Note that this code is a bit naive - and doesn't quite understand cross-signing. Java pkix calls though though - BouncyCastle has an example.

You can usually create root certificates in a keychain; but intermediate certificates often need to be β€œcollected” or discovered more dynamically. This usually requires an SSL stack request during TLS or similar.

+2
source

Source: https://habr.com/ru/post/918449/

More articles:


All Articles