Friends,
Problem Statement: An external entity sends the serial number of a certificate to my system. And using that serial number my system has to find out or fetch certificate details (Ex: by online downloading or by pre-load using Java Key Store) and use it for signature verification.
I could not find how to download certificate from online using serial number. But, I wouldn't ouch for even though it was, since you know why.
Instead, i would like to go with Java Key Store (JKS) and fetch certification details. But JKS expects alias name and password.
So, now do you suggest me to go to that external entity guy and ask him to send the certification details instead of serial number? if so is that security compliance? since we are working on Telecom domain using Remote Provisioning Architecture for Embedded UICC Technical Specification Versio 3.0.
CAs only publish their root and intermediate certificates. The serial number is not usually used to download them, but a URL is included in the final issued certificates.
Summarizing: you can't find a certificate by serial number except if your CA has a specific service to download it, or you have a pre-provisioned list of the CA certificates, for example in a keystore.
Assuming you have a keystore with possible certificates, you can list all available aliases, load the certificate and check if serial number match the provided one. You do not need any password at all.
Enumeration enumeration = keystore.aliases();
while(enumeration.hasMoreElements()) {
String alias = (String)enumeration.nextElement();
X509Certificate certificate = (X509Certificate) keystore.getCertificate(alias);
BigInteger serialNumber = certificate.getSerialNumber()
}
Note that the serial number is not unique between different CAs