Extract certificate chain information from signed X509 certificate (CSR response) in Android / BouncyCastle
-
12-12-2019 - |
Question
Am I able to extract certificate chain information from a CA-signed X509 client certificate using Android or BouncyCastle libs?
I have an Android client that receives a CA-signed X509 certificate from a trusted server. I want to save the signed client certificate and my private key to a PKCS12 (.p12) file. I am currently doing this by creating a KeyStore
object and adding the certificate and private key. When I add the client PrivateKey
with the KeyStore.setKeyEntry()
method, a Certificate[] chain
is the last argument, which currently only contains the client certificate. Will this prevent my certificate from being verifiable because I don't have the CA certificate in the Certificate[] chain
? And if yes, is it possible to populate a certificate chain with information extracted from the signed X509Certificate
?
Most examples seem to load the CA chain from a PEM file, BKS trust store, or already have access to a list of certificates.
Here is what I have:
X509Certificate cert; // signed client cert
PrivateKey pkey; // client private key
String password;
KeyStore store;
store = KeyStore.getInstance("PKCS12", "BC");
store.load(null, null);
// adding the signed cert
store.setCertificateEntry("Client certificate", cert);
// creating the cert chain
X509Certificate[] chain = new X509Certificate[1];
chain[0] = cert;
// add rest of the certs in the chain here
// adding the private key
store.setKeyEntry("Client private key", pkey, password.toCharArray(), chain);
FileOutputStream fos;
fos = openFileOutput("clientCredentials.p12", Context.MODE_PRIVATE);
store.store(fos, password.toCharArray());
fos.flush();
fos.close();
Thanks in advance!
Solution
The CA certificate(s) are not included in your signed certificate. You have to get them from somewhere (pre-install, download from trusted server, etc.). As for not installing the full chain, if the verifier already has access to necessary CA certificates, they can always verify your end entity certificate. How do you intend to use your key and certificate?
BTW, your call to setCertificateEntry()
creates a trusted certificate entry which is probably not what you want with an end entity certificate.