Search code examples
javaandroidcertificatepkcs#12csr

What is the certificate enrollment process?


I am looking for a procedure of enrolling a certificate.

I have searched a lot but didn't find a good answer. Till now I get that firstly I have to generate a Key store (For creating a public key and a private key) then private key should be kept private and public key is sent with other information (like name and organization) to the CA. Then the CA will generate something and give me back something which contains the public key and information.

What does the CA generate? What is a P12 file and what does a .cer file contain?


Solution

  • The general procedure to issue certificates in a Public Key Infrastructure is more or less the following:

    1. the client generates a key pair, private and public

    2. the client generates a CSR (Certificate Signing Request) including attributes like Common Name and the Public Key. Signs it with the private key and sends it to the server

    3. The server builds the X509 Certificate with the CSR data, signs it with the CA private key and returns the X509 to client

    4. the client stores the private key and the certificate in a KeyStore

    What CA generate?

    The x509 certificate

    What is P12 file

    A file in PKCS#12 format (.pfx or .p12) containing a key store

    what is .cer file contain

    The public part of the certificate (not private key) in DER or PEM format

    EDITED - CSR generation on Android

    Gradle dependencies

    compile 'com.madgag.spongycastle:core:1.51.0.0'
    compile 'com.madgag.spongycastle:pkix:1.51.0.0'
    

    Generate KeyPair and CSR

    //Generate KeyPair
    KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
    keyGen.initialize(KEY_SIZE, new SecureRandom());
    KeyPair keyPair = keyGen.generateKeyPair();
    
    //Generate CSR in PKCS#10 format encoded in DER
    PKCS10CertificationRequest csr = CsrHelper.generateCSR(keyPair, commonname);
    byte  CSRder[] = csr.getEncoded();
    

    Utilities

    public class CsrHelper {
    
      private final static String DEFAULT_SIGNATURE_ALGORITHM = "SHA256withRSA";
      private final static String CN_PATTERN = "CN=%s, O=Aralink, OU=OrgUnit";
    
      private static class JCESigner implements ContentSigner {
    
            private static Map<String, AlgorithmIdentifier> ALGOS = new HashMap<String, AlgorithmIdentifier>();
    
            static {
                ALGOS.put("SHA256withRSA".toLowerCase(), new AlgorithmIdentifier(
                        new ASN1ObjectIdentifier("1.2.840.113549.1.1.11")));
                ALGOS.put("SHA1withRSA".toLowerCase(), new AlgorithmIdentifier(
                        new ASN1ObjectIdentifier("1.2.840.113549.1.1.5")));
    
            }
    
            private String mAlgo;
            private Signature signature;
            private ByteArrayOutputStream outputStream;
    
            public JCESigner(PrivateKey privateKey, String sigAlgo) {
                //Utils.throwIfNull(privateKey, sigAlgo);
                mAlgo = sigAlgo.toLowerCase();
                try {
                    this.outputStream = new ByteArrayOutputStream();
                    this.signature = Signature.getInstance(sigAlgo);
                    this.signature.initSign(privateKey);
                } catch (GeneralSecurityException gse) {
                    throw new IllegalArgumentException(gse.getMessage());
                }
            }
    
            @Override
            public AlgorithmIdentifier getAlgorithmIdentifier() {
                AlgorithmIdentifier id = ALGOS.get(mAlgo);
                if (id == null) {
                    throw new IllegalArgumentException("Does not support algo: " +
                            mAlgo);
                }
                return id;
            }
    
            @Override
            public OutputStream getOutputStream() {
                return outputStream;
            }
    
            @Override
            public byte[] getSignature() {
                try {
                    signature.update(outputStream.toByteArray());
                    return signature.sign();
                } catch (GeneralSecurityException gse) {
                    gse.printStackTrace();
                    return null;
                }
            }
        }
    
    //Create the certificate signing request (CSR) from private and public keys
    public static PKCS10CertificationRequest generateCSR(KeyPair keyPair, String cn) throws IOException,
                OperatorCreationException {
            String principal = String.format(CN_PATTERN, cn);
    
            ContentSigner signer = new JCESigner (keyPair.getPrivate(),DEFAULT_SIGNATURE_ALGORITHM);
    
            PKCS10CertificationRequestBuilder csrBuilder = new JcaPKCS10CertificationRequestBuilder(
                    new X500Name(principal), keyPair.getPublic());
            ExtensionsGenerator extensionsGenerator = new ExtensionsGenerator();
            extensionsGenerator.addExtension(Extension.basicConstraints, true, new BasicConstraints(
                    true));
            csrBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest,
                    extensionsGenerator.generate());
            PKCS10CertificationRequest csr = csrBuilder.build(signer);
    
            return csr;
        }
    }