Class X509Certificate

  • All Implemented Interfaces:
    java.io.Serializable, X509Extension

    public abstract class X509Certificate
    extends Certificate
    implements X509Extension

    Abstract class for X.509 certificates. This provides a standard way to access all the attributes of an X.509 certificate.

    In June of 1996, the basic X.509 v3 format was completed by ISO/IEC and ANSI X9, which is described below in ASN.1:

     Certificate  ::=  SEQUENCE  {
         tbsCertificate       TBSCertificate,
         signatureAlgorithm   AlgorithmIdentifier,
         signature            BIT STRING  }
     

    These certificates are widely used to support authentication and other functionality in Internet security systems. Common applications include Privacy Enhanced Mail (PEM), Transport Layer Security (SSL), code signing for trusted software distribution, and Secure Electronic Transactions (SET).

    These certificates are managed and vouched for by Certificate Authorities (CAs). CAs are services which create certificates by placing data in the X.509 standard format and then digitally signing that data. CAs act as trusted third parties, making introductions between principals who have no direct knowledge of each other. CA certificates are either signed by themselves, or by some other CA such as a "root" CA.

    More information can be found in RFC 5280: Internet X.509 Public Key Infrastructure Certificate and CRL Profile.

    The ASN.1 definition of tbsCertificate is:

     TBSCertificate  ::=  SEQUENCE  {
         version         [0]  EXPLICIT Version DEFAULT v1,
         serialNumber         CertificateSerialNumber,
         signature            AlgorithmIdentifier,
         issuer               Name,
         validity             Validity,
         subject              Name,
         subjectPublicKeyInfo SubjectPublicKeyInfo,
         issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
                              -- If present, version must be v2 or v3
         subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
                              -- If present, version must be v2 or v3
         extensions      [3]  EXPLICIT Extensions OPTIONAL
                              -- If present, version must be v3
         }
     

    Certificates are instantiated using a certificate factory. The following is an example of how to instantiate an X.509 certificate:

     try (InputStream inStream = new FileInputStream("fileName-of-cert")) {
         CertificateFactory cf = CertificateFactory.getInstance("X.509");
         X509Certificate cert = (X509Certificate)cf.generateCertificate(inStream);
     }
     
    See Also:
    Certificate, CertificateFactory, X509Extension, Serialized Form
    • Constructor Detail

      • X509Certificate

        protected X509Certificate()
        Constructor for X.509 certificates.
    • Method Detail

      • checkValidity

        public abstract void checkValidity()
                                    throws CertificateExpiredException,
                                           CertificateNotYetValidException
        Checks that the certificate is currently valid. It is if the current date and time are within the validity period given in the certificate.

        The validity period consists of two date/time values: the first and last dates (and times) on which the certificate is valid. It is defined in ASN.1 as:

         validity             Validity
        
         Validity ::= SEQUENCE {
             notBefore      CertificateValidityDate,
             notAfter       CertificateValidityDate }
        
         CertificateValidityDate ::= CHOICE {
             utcTime        UTCTime,
             generalTime    GeneralizedTime }
         
        Throws:
        CertificateExpiredException - if the certificate has expired.
        CertificateNotYetValidException - if the certificate is not yet valid.
      • getIssuerX500Principal

        public X500Principal getIssuerX500Principal()
        Returns the issuer (issuer distinguished name) value from the certificate as an X500Principal.

        It is recommended that subclasses override this method.

        Returns:
        an X500Principal representing the issuer distinguished name
        Since:
        1.4
      • getSubjectX500Principal

        public X500Principal getSubjectX500Principal()
        Returns the subject (subject distinguished name) value from the certificate as an X500Principal. If the subject value is empty, then the getName() method of the returned X500Principal object returns an empty string ("").

        It is recommended that subclasses override this method.

        Returns:
        an X500Principal representing the subject distinguished name
        Since:
        1.4