1107 1107 - 1 year ago 102
Java Question

Certificate enrollment process

I am looking for a procedure of enroll a certificate.

I have search a lot but didn't find a good answer.Till now I get that firstly I have to generate a Key store (For creating a public key and a private key)then private key should be kept private and public key is send with other information (like name ,organization )to the CA.Then CA will generate something and give me back which contain the public key and information.

Till now i get this but What CA generate? What is P12 file and what is .cer file contain?

Can anyone help me with this question i am really feel helpless.
Thanks in advance.

Answer Source

The general procedure to issue certificates in a Public Key Infraestructure is moreless the following.

1) the client generates a key pair, private and public

2) the client generates a CSR (Certificate Signing Request) including attributes like Common Name and the Public key. Signs it with the private key and sends it to the server

3) The server builds the X509 Certificate with the CSR data, sins it with the CA private key and returns the X509 to client

4) the client stores the private key and the certificate in a KeyStore

What CA generate?

The x509 certificate

What is P12 file

A file in PKCS#12 format (.pfx,.p12) containing a key store

what is .cer file contain

The public part of the certificate( not private key) in DER or PEM format

EDITED - CSR generation on Android

Gradle dependencies

compile 'com.madgag.spongycastle:core:'
compile 'com.madgag.spongycastle:pkix:'

Generate KeyPair and CSR

//Generate KeyPair
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
keyGen.initialize(KEY_SIZE, new SecureRandom());
KeyPair keyPair = keyGen.generateKeyPair();

//Generate CSR in PKCS#10 format encoded in DER
PKCS10CertificationRequest csr = CsrHelper.generateCSR(keyPair, commonname);
byte  CSRder[] = csr.getEncoded();


public class CsrHelper {

  private final static String DEFAULT_SIGNATURE_ALGORITHM = "SHA256withRSA";
  private final static String CN_PATTERN = "CN=%s, O=Aralink, OU=OrgUnit";

  private static class JCESigner implements ContentSigner {

        private static Map<String, AlgorithmIdentifier> ALGOS = new HashMap<String, AlgorithmIdentifier>();

        static {
            ALGOS.put("SHA256withRSA".toLowerCase(), new AlgorithmIdentifier(
                    new ASN1ObjectIdentifier("1.2.840.113549.1.1.11")));
            ALGOS.put("SHA1withRSA".toLowerCase(), new AlgorithmIdentifier(
                    new ASN1ObjectIdentifier("1.2.840.113549.1.1.5")));


        private String mAlgo;
        private Signature signature;
        private ByteArrayOutputStream outputStream;

        public JCESigner(PrivateKey privateKey, String sigAlgo) {
            //Utils.throwIfNull(privateKey, sigAlgo);
            mAlgo = sigAlgo.toLowerCase();
            try {
                this.outputStream = new ByteArrayOutputStream();
                this.signature = Signature.getInstance(sigAlgo);
            } catch (GeneralSecurityException gse) {
                throw new IllegalArgumentException(gse.getMessage());

        public AlgorithmIdentifier getAlgorithmIdentifier() {
            AlgorithmIdentifier id = ALGOS.get(mAlgo);
            if (id == null) {
                throw new IllegalArgumentException("Does not support algo: " +
            return id;

        public OutputStream getOutputStream() {
            return outputStream;

        public byte[] getSignature() {
            try {
                return signature.sign();
            } catch (GeneralSecurityException gse) {
                return null;

//Create the certificate signing request (CSR) from private and public keys
public static PKCS10CertificationRequest generateCSR(KeyPair keyPair, String cn) throws IOException,
            OperatorCreationException {
        String principal = String.format(CN_PATTERN, cn);

        ContentSigner signer = new JCESigner (keyPair.getPrivate(),DEFAULT_SIGNATURE_ALGORITHM);

        PKCS10CertificationRequestBuilder csrBuilder = new JcaPKCS10CertificationRequestBuilder(
                new X500Name(principal), keyPair.getPublic());
        ExtensionsGenerator extensionsGenerator = new ExtensionsGenerator();
        extensionsGenerator.addExtension(Extension.basicConstraints, true, new BasicConstraints(
        PKCS10CertificationRequest csr = csrBuilder.build(signer);

        return csr;
Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download