1. Overview
Signing a Certificate Signing Request (CSR) is a common operation in cryptography. In this tutorial, we’ll learn how to sign a CSR using the Bouncy Castle library.
2. Signing a CSR
Signing a CSR is a process by which a Certificate Authority (CA) validates the information in the CSR and issues a certificate. The CA signs the certificate using its private key. The signed certificate can then establish secure connections between clients and servers.
To sign a CSR using Bouncy Castle, we need to perform a few basic steps:
- Generate a trusted entity CA certificate and a private key.
- Generate the Certificate Signing Request (CSR).
- Sign the CSR using the CA certificate and private key.
3. Setup
We need to add the Bouncy Castle library to our project so that we can use it to sign a CSR. Let’s add its Maven dependency to our pom.xml file:
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcpkix-jdk18on</artifactId>
<version>1.76</version>
</dependency>
Next, we need to create a SecurityProvider class to register the Bouncy Castle provider:
static {
Security.addProvider(new BouncyCastleProvider());
}4. Sign a CSR Using Bouncy Castle
Signing a CSR using Bouncy Castle involves several steps. Let’s go through each step in detail.
4.1. Generate a Trusted Entity CA Certificate and a Private Key
The CA is a trusted entity that issues certificates to clients. We must generate a CA certificate and private key to sign the CSR. Let’s start by generating a key pair:
public static KeyPair generateRSAKeyPair() {
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
keyPairGenerator.initialize(2048);
return keyPairGenerator.generateKeyPair();
}4.2. Generate the Certificate Signing Request
Let’s create the Certificate Signing Request (CSR) based on our key pair:
public static PKCS10CertificationRequest generateCSR(KeyPair pair) {
PKCS10CertificationRequestBuilder p10Builder = new JcaPKCS10CertificationRequestBuilder(
new X500Principal("CN=Requested Test Certificate"), pair.getPublic());
JcaContentSignerBuilder csBuilder = new JcaContentSignerBuilder("SHA256withRSA");
ContentSigner signer = csBuilder.build(pair.getPrivate());
return p10Builder.build(signer);
}4.3. Sign the Certificate Signing Request
Next, we must create a certificate generator to sign the CSR using the CA certificate and private key. Let’s go through the code to sign the CSR:
public X509Certificate sign(PKCS10CertificationRequest inputCSR, PrivateKey caPrivate, KeyPair pair) {
AlgorithmIdentifier sigAlgId = new DefaultSignatureAlgorithmIdentifierFinder().find("SHA1withRSA");
AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId);
AsymmetricKeyParameter foo = PrivateKeyFactory.createKey(caPrivate.getEncoded());
SubjectPublicKeyInfo keyInfo = SubjectPublicKeyInfo.getInstance(pair.getPublic().getEncoded());
X509v3CertificateBuilder myCertificateGenerator = new X509v3CertificateBuilder(
new X500Name("CN=issuer"),
new BigInteger("1"),
new Date(System.currentTimeMillis()),
new Date(System.currentTimeMillis() + 30L * 365 * 24 * 60 * 60 * 1000),
inputCSR.getSubject(),
keyInfo);
ContentSigner sigGen = new BcRSAContentSignerBuilder(sigAlgId, digAlgId).build(foo);
X509CertificateHolder holder = myCertificateGenerator.build(sigGen);
Certificate eeX509CertificateStructure = holder.toASN1Structure();
CertificateFactory cf = CertificateFactory.getInstance("X.509", "BC");
InputStream is1 = new ByteArrayInputStream(eeX509CertificateStructure.getEncoded());
X509Certificate theCert = (X509Certificate) cf.generateCertificate(is1);
is1.close();
return theCert;
}The method begins by identifying the signature and digest algorithms to be used for signing the certificate. We use the DefaultSignatureAlgorithmIdentifierFinder and DefaultDigestAlgorithmIdentifierFinder classes to find these algorithms.
AsymmetricKeyParameter is used to create the CA’s private key from the encoded bytes. We use the PrivateKeyFactory class to create the private key from the encoded bytes. SubjectPublicKeyInfo is used to specify the public key information.
Next, we create the certificate builder. It sets the issuer, serial number, validity period, subject, and public key for the certificate.
Then, we create ContentSigner using the signature and digest algorithms and the CA’s private key, which is used to sign the certificate.
Finally, the method builds the certificate, converts it to an X509Certificate, and returns it.
5. Testing
Let’s write a test to verify the signing process:
@Test
public void givenCSR_whenSignWithBC_thenSuccess() {
SignCSRBouncyCastle signCSRBouncyCastle = new SignCSRBouncyCastle();
KeyPair pair = SignCSRBouncyCastle.generateRSAKeyPair();
PKCS10CertificationRequest csr = SignCSRBouncyCastle.generateCSR(pair);
KeyPair caPair = SignCSRBouncyCastle.generateRSAKeyPair();
X509Certificate signedCert = signCSRBouncyCastle.signCSR(csr, caPair.getPrivate(), pair);
assertThat(signedCert).isNotNull();
assertThat(signedCert.getSubjectDN().getName()).isEqualTo("CN=Requested Test Certificate");
assertDoesNotThrow(() -> signedCert.verify(caPair.getPublic()));
}In the test, we generate a key pair and create a CSR. Then, we generate a CA key pair and sign the CSR using the CA private key. Finally, we verify the signed certificate using the CA public key.
6. Conclusion
In this tutorial, we learned how to sign a CSR using the Bouncy Castle library. We generated a key pair, created a CSR, generated a CA key pair, and signed the CSR using a CA certificate. We also wrote a test to verify the signing process.
As always, the full implementation of these examples can be found over on GitHub.
