Generating the CSR using BouncyCastle API

java security certificate bouncycastle

17,987

Solution 1

With the recent versions of BouncyCastle it is recommended to create the CSR using the org.bouncycastle.pkcs.PKCS10CertificationRequestBuilder class.

You can use this code snipppet:

KeyPair pair = generateKeyPair();
PKCS10CertificationRequestBuilder p10Builder = new JcaPKCS10CertificationRequestBuilder(
    new X500Principal("CN=Requested Test Certificate"), pair.getPublic());
JcaContentSignerBuilder csBuilder = new JcaContentSignerBuilder("SHA256withRSA");
ContentSigner signer = csBuilder.build(pair.getPrivate());
PKCS10CertificationRequest csr = p10Builder.build(signer);

Solution 2

It's really simmilar to Jcs's answer, it is just a little bit supplemented.

Dont forget to add:

Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());

And the csr generate:

    KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", "BC");
    keyPairGenerator.initialize(4096);
    KeyPair keyPair = keyPairGenerator.generateKeyPair();
    
    PKCS10CertificationRequestBuilder p10Builder = new JcaPKCS10CertificationRequestBuilder(
            new X500Principal("OU=Try, C=US## Heading ##"), keyPair.getPublic());

    JcaContentSignerBuilder csBuilder = new JcaContentSignerBuilder("SHA256withRSA");
    ContentSigner signer = csBuilder.build(keyPair.getPrivate());
    PKCS10CertificationRequest csr = p10Builder.build(signer);

    JcaPEMWriter jcaPEMWriter = new JcaPEMWriter(new FileWriter("cert/test.csr"));
    jcaPEMWriter.writeObject(csr);
    jcaPEMWriter.close();

I think a useful link

17,987

Fox

Updated on June 06, 2022

Comments

Fox almost 2 years
I am new to the security side of Java and stumbled across this library called BouncyCastle. But the examples that they provide and the ones out on the internet ask to use
```
return new PKCS10CertificationRequest("SHA256withRSA", new X500Principal(
    "CN=Requested Test Certificate"), pair.getPublic(), null, pair.getPrivate()
```
But when I use PKCS10CertificationRequest, it looks like it is deprecated. So I started looking at another method where I use CertificationRequest class. But I am really confused, the constructor does not take the same parameters instead it takes CertificationRequestInfo class which I am not sure how to fill up.
```
CertificationRequest request = new CertificationRequest(...);
```
It would be awesome if someone could help me figure out how to make a CSR so that I can send it to the server for getting it signed.
Fox over 10 years

Thanks .. How do I print the CSR?
Fox over 10 years

I got it .. did it with the help of PEMWriter class .. Thanks for the help.
Tim Mattison about 8 years

For new code I'd suggest using JcaPEMWriter instead of PEMWriter. Same interface but PEMWriter is now deprecated.
codenamezero almost 7 years

How can this be done with smartcard? Since the private key is on the card itself?
Jcs almost 7 years

In that case the signature of the PKCS#10 request is performed by the smartcard.
Vikram Singh Shekhawat about 4 years

@Jcs how can I pass the other information in csr generation like organisation unit, location, state , country , validity etc. ?
Jcs about 4 years

@VikramSinghShekhawat you can add these information in the X500Principal. For instance new X500Principal("CN=Requested Test Certificate, O=Test Inc, C=US")
user1053510 about 3 years

For those looking for a maven/gradle package containing these classes: mvnrepository.com/artifact/org.bouncycastle/bcpkix-jdk15to18