Create Self-Signed Certificates using BouncyCastle
Self-signed certificates are used frequently during development and testing. This post shows how to create self-signed certificates using BouncyCastle.
In the code below, the method generateSelfSignedCert() accepts the common name of the certificate to generate. It first creates a RSA key pair, then creates a certificate that is valid for 2 years. This method returns a pair of private key and certificate. JcaPEMWriter is used to write out the private key and certificate in PEM format.
import java.io.IOException;
import java.io.PrintWriter;
import java.math.BigInteger;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.Security;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.sql.Date;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import org.apache.commons.lang3.tuple.Pair;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
public class Main {
public static void main(String[] args)
throws NoSuchAlgorithmException, CertificateException, NoSuchProviderException, OperatorCreationException, IOException {
Security.addProvider(new BouncyCastleProvider());
Pair<PrivateKey, Certificate> pair = generateSelfSignedCert("app.example.com");
JcaPEMWriter writer = new JcaPEMWriter(new PrintWriter(System.out));
writer.writeObject(pair.getLeft());
writer.writeObject(pair.getRight());
writer.flush();
}
private final static String bcProvider = BouncyCastleProvider.PROVIDER_NAME;
public static Pair<PrivateKey, Certificate> generateSelfSignedCert(String commonName)
throws NoSuchProviderException, NoSuchAlgorithmException, OperatorCreationException, CertificateException {
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", bcProvider);
keyPairGenerator.initialize(2048);
KeyPair keyPair = keyPairGenerator.generateKeyPair();
X500Name dnName = new X500Name("CN=" + commonName);
BigInteger certSerialNumber = BigInteger.valueOf(System.currentTimeMillis());
String signatureAlgorithm = "SHA256WithRSA";
ContentSigner contentSigner = new JcaContentSignerBuilder(signatureAlgorithm)
.build(keyPair.getPrivate());
Instant startDate = Instant.now();
Instant endDate = startDate.plus(2 * 365, ChronoUnit.DAYS);
JcaX509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(
dnName, certSerialNumber, Date.from(startDate), Date.from(endDate), dnName,
keyPair.getPublic());
Certificate certificate = new JcaX509CertificateConverter().setProvider(bcProvider)
.getCertificate(certBuilder.build(contentSigner));
return Pair.of(keyPair.getPrivate(), certificate);
}
}You can use generated private key and certificate with nginx.
Source Code
See complete source code in GitHub.