Re: Using JDK 1.2 Final Release...Generating Certificate Sigining Request...Project at stake...

Jan Luehe (luehe@laguna.eng.sun.com)
Thu, 4 Feb 1999 17:03:30 -0800 (PST)

Date: Thu, 4 Feb 1999 17:03:30 -0800 (PST)
From: Jan Luehe <luehe@laguna.eng.sun.com>
Subject: Re: Using JDK 1.2 Final Release...Generating Certificate Sigining Request...Project at stake...
To: java-security@java.Sun.COM, kinnist@rapidobject.com

Tony:

> I have been searching for weeks for a way to generate a Certificate
> Signing Request (CSR) for and X509 v3 certificate. I know that the
> keytool does this, but I need to do it inside my source code, i.e. via
> some API....Or at least I think I do. Since I am not sure what platforms
> my application will run on I am skeptical about using the
> java.lang.Runtime.exec() to generate the CSR from my application by
> executing the keytool app. with the parameters needed to generate the
> CSR. I have been able to utilize the keystore database for all other
> areas of my application with the exception of this one. Please help.

The CSR code is buried in the
sun.security.pkcs package (class PKCS10).

Note that you are not supposed to use this class directly.
It will disqualify you from becoming "100% Pure", and its
APIs are not supported (i.e., may change in the future).

We have been planning to release a Java extension for PKCS
support. However, I cannot tell you when this will be done.

> P.S. I am also having a problem in verifying a certificate issued to me
> using the CA's root certificate...Here is the code and the error that is
> generated...

Looks like you have an RSA-based signature.
Note that the SUN provider (the default provider that ships
with JDK 1.2) does not support RSA signatures.
Therefore, in order to be able to verify this signature, you
need to install a provider that supports RSA.
For example, RSA Data Security, Inc., has written one that plugs into
our architecture.

Jan