可以使用J2SDK内部使用的sun.security.x509包中的X509CertImpl类来创建新的证书,该类的构造器中传入有关新的证书各种信息,如序列号、有效期、签发者等。最后使用X509CertImpl类的sign( )方法用CA的私钥进行签名。可以打印新的证书的信息,也可以将其保存在密钥库中。当然你也可以使用第三方工具如BouncyCastleProvider( http://www.bouncycastle.org/latest_releases.html)的包里面的+--org.bouncycastle.jce.X509V1CertificateGenerator
类来生成证书。

解决方案 »

  1.   

    用ca的证书证书签发的证书
    下面是一个例子,你需要运行的化,用如java  SignCertificate keystore ca mykey mykey_signedimport java.io.*;
    import java.security.*;
    import java.security.cert.*;
    import java.util.*;
    import sun.security.x509.X509CertImpl;
    import sun.security.x509.X509CertInfo;
    import sun.security.x509.X500Name;
    import sun.security.x509.AlgorithmId;
    import sun.security.x509.CertificateIssuerName;
    import sun.security.x509.CertificateSubjectName;
    import sun.security.x509.CertificateValidity;
    import sun.security.x509.CertificateSerialNumber;
    import sun.security.x509.CertificateAlgorithmId;public class SignCertificate { // 你用来签名的算法
    private static final String SIG_ALG_NAME = "MD5WithRSA"; // 有效期
    private static final int VALIDITY = 365; /**
     * Usage: SignCertificate keystore CAAlias certToSignAlias newAlias
     */
    public static void main (String[] args) throws Exception { if (args.length != 4) {
    System.err.println(
    "Usage: java SignCertificate keystore CAAlias certToSignAlias newAlias");
    System.exit(1);
    } String keystoreFile = args[0];
    String caAlias = args[1];
    String certToSignAlias = args[2];
    String newAlias = args[3];
    BufferedReader in = new BufferedReader
    (new InputStreamReader(System.in));
    System.out.print("Keystore password: ");
    char[] password = in.readLine().toCharArray();
    System.out.print("CA (" + caAlias + ") password: ");
    char[] caPassword = in.readLine().toCharArray();
    System.out.print("Cert (" + certToSignAlias + ") password: ");
    char[] certPassword = in.readLine().toCharArray();
    FileInputStream input = new FileInputStream(keystoreFile);
    KeyStore keyStore = KeyStore.getInstance("JKS");
    keyStore.load(input, password);
    input.close(); // 得到CA的私钥来签名
    PrivateKey caPrivateKey = (PrivateKey)keyStore.getKey(caAlias, caPassword);
    // 得到CA的证书
    java.security.cert.Certificate caCert = keyStore.getCertificate(caAlias); // 创建 X509CertImpl 对象

    byte[] encoded = caCert.getEncoded();
    X509CertImpl caCertImpl = new X509CertImpl(encoded);
    X509CertInfo caCertInfo = (X509CertInfo)caCertImpl.get
    (X509CertImpl.NAME + "." + X509CertImpl.INFO); X500Name issuer = (X500Name)caCertInfo.get
    (X509CertInfo.SUBJECT + "." + CertificateIssuerName.DN_NAME); //得到用CA签名的证书
    java.security.cert.Certificate cert = keyStore.getCertificate(certToSignAlias);
    PrivateKey privateKey = (PrivateKey)keyStore.getKey(certToSignAlias, certPassword);
    encoded = cert.getEncoded();
    X509CertImpl certImpl = new X509CertImpl(encoded);
    X509CertInfo certInfo = (X509CertInfo)certImpl.get
    (X509CertImpl.NAME + "." + X509CertImpl.INFO);
    Date firstDate = new Date();
    Date lastDate = new Date(firstDate.getTime() + VALIDITY*24*60*60*1000L);
    CertificateValidity interval = new CertificateValidity(firstDate, lastDate); certInfo.set(X509CertInfo.VALIDITY, interval); // 序列号
    certInfo.set(X509CertInfo.SERIAL_NUMBER,
    new CertificateSerialNumber((int)(firstDate.getTime()/1000))); // 发行者
    certInfo.set(X509CertInfo.ISSUER +
    "." + CertificateSubjectName.DN_NAME, issuer); AlgorithmId algorithm = new AlgorithmId(AlgorithmId.md5WithRSAEncryption_oid);
    certInfo.set(CertificateAlgorithmId.NAME + "." +
    CertificateAlgorithmId.ALGORITHM, algorithm);
    X509CertImpl newCert = new X509CertImpl(certInfo); // 签名此证书
    newCert.sign(caPrivateKey, SIG_ALG_NAME); keyStore.setKeyEntry(newAlias, privateKey, certPassword,
    new java.security.cert.Certificate[] { newCert } ); // 保存在秘钥库种
    FileOutputStream output = new FileOutputStream(keystoreFile);
    keyStore.store(output, password);
    output.close(); }
    }