Search code examples
javacertificatex509certificatejava-17openjdk-17

How to generate self-signed certificate in Java with JDK17


tl,dr; Is there a native Java17 solution to generate self-signed certificate, either via standard library (very unlikely) or some slim, lightweight library?

There is a similar question (Access `sun.security.x509` in JDK 11 without modules?, asked by me) because starting with JDK11 access to internal JDK packages has been limited thus it's not possible to use classes from sun.security.x509. Up until JDK17 there was possibility to circumvent it with certain compiler configuration to flag to open those packages. This changed with JDK17, which removed that option.

From what I was able to gather current solutions are either:

  1. BouncyCastle - but it's a hefty 5MB swiss-knife security library thus using it only for generating certificate seems somewhat wasteful.
  2. calling directly keytool java tool, but this has two downsides: calling external tool is slower and it requires creating keystore file.

Currently (2) seems more convenient in my usecase but I would love to find third option - native, lightweight solution.

EDIT: there is OpenJDK issue: JDK-8058778: New APIs for creating certificates and certificate requests and I hope one day it would be implemented...


Solution

  • If anyone is interested, basic and crude implementation relying on keytool is available here: KeytoolCertificateGenerator.java