public abstract class X509Certificate extends Certificate implements X509Extension
Abstract class for X.509 certificates. This provides a standard way to access all the attributes of an X.509 certificate.
In June of 1996, the basic X.509 v3 format was completed by ISO/IEC and ANSI X9, which is described below in ASN.1:
Certificate ::= SEQUENCE {
tbsCertificate TBSCertificate,
signatureAlgorithm AlgorithmIdentifier,
signature BIT STRING }
These certificates are widely used to support authentication and other functionality in Internet security systems. Common applications include Privacy Enhanced Mail (PEM), Transport Layer Security (SSL), code signing for trusted software distribution, and Secure Electronic Transactions (SET).
These certificates are managed and vouched for by Certificate Authorities (CAs). CAs are services which create certificates by placing data in the X.509 standard format and then digitally signing that data. CAs act as trusted third parties, making introductions between principals who have no direct knowledge of each other. CA certificates are either signed by themselves, or by some other CA such as a "root" CA.
More information can be found in RFC 3280: Internet X.509 Public Key Infrastructure Certificate and CRL Profile.
The ASN.1 definition of tbsCertificate is:
TBSCertificate ::= SEQUENCE {
version [0] EXPLICIT Version DEFAULT v1,
serialNumber CertificateSerialNumber,
signature AlgorithmIdentifier,
issuer Name,
validity Validity,
subject Name,
subjectPublicKeyInfo SubjectPublicKeyInfo,
issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
-- If present, version must be v2 or v3
subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
-- If present, version must be v2 or v3
extensions [3] EXPLICIT Extensions OPTIONAL
-- If present, version must be v3
}
Certificates are instantiated using a certificate factory. The following is an example of how to instantiate an X.509 certificate:
try (InputStream inStream = new FileInputStream("fileName-of-cert")) {
CertificateFactory cf = CertificateFactory.getInstance("X.509");
X509Certificate cert = (X509Certificate) cf.generateCertificate(inStream);
}
Certificate,
CertificateFactory,
X509Extension,
Serialized Form| Modifier | Constructor and Description |
|---|---|
protected |
X509Certificate()
Constructor for X.509 certificates.
|
| Modifier and Type | Method and Description |
|---|---|
abstract void |
checkValidity()
Checks that the certificate is currently valid.
|
X500Principal |
getIssuerX500Principal()
Returns the issuer (issuer distinguished name) value from the certificate as an
X500Principal. |
X500Principal |
getSubjectX500Principal()
Returns the subject (subject distinguished name) value from the certificate as an
X500Principal. |
equals, getEncoded, getPublicKey, getType, hashCode, toString, verify, verifypublic abstract void checkValidity()
throws CertificateExpiredException,
CertificateNotYetValidException
The validity period consists of two date/time values: the first and last dates (and times) on which the certificate is valid. It is defined in ASN.1 as:
validity Validity
Validity ::= SEQUENCE {
notBefore CertificateValidityDate,
notAfter CertificateValidityDate }
CertificateValidityDate ::= CHOICE {
utcTime UTCTime,
generalTime GeneralizedTime }
CertificateExpiredException - if the certificate has expired.CertificateNotYetValidException - if the certificate is not yet valid.@Nullable public X500Principal getIssuerX500Principal()
X500Principal.
It is recommended that subclasses override this method.
X500Principal representing the issuer distinguished name@Nullable public X500Principal getSubjectX500Principal()
X500Principal. If
the subject value is empty, then the getName() method of the returned X500Principal
object returns an empty string ("").
It is recommended that subclasses override this method.
X500Principal representing the subject distinguished name