X509Certificate

public abstract class X509Certificate extends Certificate
implements X509Extension

Abstract class for X.509 certificates. This provides a standard way to access all the attributes of an X.509 certificate.

In June of 1996, the basic X.509 v3 format was completed by ISO/IEC and ANSI X9, which is described below in ASN.1:

 Certificate  ::=  SEQUENCE  {
     tbsCertificate       TBSCertificate,
     signatureAlgorithm   AlgorithmIdentifier,
     signature            BIT STRING  }
 

These certificates are widely used to support authentication and other functionality in Internet security systems. Common applications include Privacy Enhanced Mail (PEM), Transport Layer Security (SSL), code signing for trusted software distribution, and Secure Electronic Transactions (SET).

These certificates are managed and vouched for by Certificate Authorities (CAs). CAs are services which create certificates by placing data in the X.509 standard format and then digitally signing that data. CAs act as trusted third parties, making introductions between principals who have no direct knowledge of each other. CA certificates are either signed by themselves, or by some other CA such as a "root" CA.

More information can be found in RFC 3280: Internet X.509 Public Key Infrastructure Certificate and CRL Profile.

The ASN.1 definition of tbsCertificate is:

 TBSCertificate  ::=  SEQUENCE  {
     version         [0]  EXPLICIT Version DEFAULT v1,
     serialNumber         CertificateSerialNumber,
     signature            AlgorithmIdentifier,
     issuer               Name,
     validity             Validity,
     subject              Name,
     subjectPublicKeyInfo SubjectPublicKeyInfo,
     issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
                          -- If present, version must be v2 or v3
     subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
                          -- If present, version must be v2 or v3
     extensions      [3]  EXPLICIT Extensions OPTIONAL
                          -- If present, version must be v3
     }
 

Certificates are instantiated using a certificate factory. The following is an example of how to instantiate an X.509 certificate:

 try (InputStream inStream = new FileInputStream("fileName-of-cert")) {
     CertificateFactory cf = CertificateFactory.getInstance("X.509");
     X509Certificate cert = (X509Certificate)cf.generateCertificate(inStream);
 }
 

Protected Constructor Summary

X509Certificate()
Constructor for X.509 certificates.

Public Method Summary

abstract void
checkValidity()
Checks that the certificate is currently valid.
abstract void
checkValidity(Date date)
Checks that the given date is within the certificate's validity period.
abstract int
getBasicConstraints()
Gets the certificate constraints path length from the critical BasicConstraints extension, (OID = 2.5.29.19).
List<String>
getExtendedKeyUsage()
Gets an unmodifiable list of Strings representing the OBJECT IDENTIFIERs of the ExtKeyUsageSyntax field of the extended key usage extension, (OID = 2.5.29.37).
Collection<List<?>>
getIssuerAlternativeNames()
Gets an immutable collection of issuer alternative names from the IssuerAltName extension, (OID = 2.5.29.18).
abstract Principal
getIssuerDN()
Denigrated, replaced by {@linkplain #getIssuerX500Principal()}.
abstract boolean[]
getIssuerUniqueID()
Gets the issuerUniqueID value from the certificate.
X500Principal
getIssuerX500Principal()
Returns the issuer (issuer distinguished name) value from the certificate as an X500Principal.
abstract boolean[]
getKeyUsage()
Gets a boolean array representing bits of the KeyUsage extension, (OID = 2.5.29.15).
abstract Date
getNotAfter()
Gets the notAfter date from the validity period of the certificate.
abstract Date
getNotBefore()
Gets the notBefore date from the validity period of the certificate.
abstract BigInteger
getSerialNumber()
Gets the serialNumber value from the certificate.
abstract String
getSigAlgName()
Gets the signature algorithm name for the certificate signature algorithm.
abstract String
getSigAlgOID()
Gets the signature algorithm OID string from the certificate.
abstract byte[]
getSigAlgParams()
Gets the DER-encoded signature algorithm parameters from this certificate's signature algorithm.
abstract byte[]
getSignature()
Gets the signature value (the raw signature bits) from the certificate.
Collection<List<?>>
getSubjectAlternativeNames()
Gets an immutable collection of subject alternative names from the SubjectAltName extension, (OID = 2.5.29.17).
abstract Principal
getSubjectDN()
Denigrated, replaced by {@linkplain #getSubjectX500Principal()}.
abstract boolean[]
getSubjectUniqueID()
Gets the subjectUniqueID value from the certificate.
X500Principal
getSubjectX500Principal()
Returns the subject (subject distinguished name) value from the certificate as an X500Principal.
abstract byte[]
getTBSCertificate()
Gets the DER-encoded certificate information, the tbsCertificate from this certificate.
abstract int
getVersion()
Gets the version (version number) value from the certificate.
void
verify(PublicKey key, Provider sigProvider)
Verifies that this certificate was signed using the private key that corresponds to the specified public key.

Inherited Method Summary