从技术角度来看,您的解决方案是正确的。但是,请不要忘记安全方面的考虑:谁可以请求证书,如何执行身份验证,如何将证书/私钥分发到服务器…
这些元素对于生成证书是必不可少的:
- 主题名称
- 发行人名称
- 证书序列号
- 主题公钥
- 有效期(不早于,不晚于)
添加一些扩展名也是一个好习惯:
- 主题密钥标识符
- 权限密钥标识符
- 基本约束
- 按键用法
- 扩展密钥用法
此代码段概述了证书的生成:
ContentSigner getCertSigner(PrivateKey issuerKey) { AsymmetricKeyParameter akp = PrivateKeyFactory.createKey(issuerKey.getEnpred()); AlgorithmIdentifier sigAlgId = new DefaultSignatureAlgorithmIdentifierFinder().find("SHA1withRSA"); AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId); return new BcRSAContentSignerBuilder(sigAlgId, digAlgId).build(akp);}X509CertificateHolder generateCertificate(X509Certificate issuerCert, PrivateKey issuerKey, X500Name subject, PublicKey subjectKey, Date notBefore, Date notAfter) { X509Principal issuerDN = PrincipalUtil.getSubjectX509Principal(issuerCert); SubjectPublicKeyInfo key = SubjectPublicKeyInfo.getInstance(subjectKey.getEnpred()); X509v3CertificateBuilder builder = new X509v3CertificateBuilder(issuerDN, BigInteger.valueOf(new SecureRandom().nextInt()), before, after, subject, key); // Add authority key identifier builder.addExtension(X509Extension.authorityKeyIdentifier, false, JcaX509ExtensionUtils.createAuthorityKeyIdentifier(issuerCert)); // Add subject key identifier builder.addExtension(X509Extension.subjectKeyIdentifier, false, JcaX509ExtensionUtils.createSubjectKeyIdentifier(subjectKey)); // Add basic constraints builder.addExtension(X509Extension.basicConstraints, true, new BasicConstraints(false)); // Add key usage KeyUsage keyUsage = new KeyUsage(KeyUsage.keyEncipherment|KeyUsage.digitalSignature); builder.addExtension(X509Extension.keyUsage, true, keyUsage); // Add extended key usage ExtendedKeyUsage extKeyUsage = new ExtendedKeyUsage(KeyPurposeId.id_kp_serverAuth); builder.addExtension(X509Extension.extendedKeyUsage, false, extKeyUsage); return builder.build(getCertSigner(issuerKey));}更新: 根据Martin Nielsen的评论修复了代码。
