How to check if X509Certificate is CA certificate?
https://stackoverflow.com/questions/12092457
-
28-06-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I have a X509Certificate instance in Java and I need to identify if it is a CA certificate or user certificate.
Can anyone provide any help?
Thanks in advance!
Solution
According to research I have performed, it can be checked by checking basic constraints!
Check the API for returning results of getBasicConstraints() method.
So if the method returns result != -1, a certificate can be considered as a CA certificate.
I have checked this with several CA certificates (root and intermediate), and it works as described.
I have also checked this method with several user certificates, and the method returns -1 as result.
OTHER TIPS
X509Certificate.getKeyUsage() javadoc:
gets a boolean array representing bits of the KeyUsage extension, (OID = 2.5.29.15). The key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate. The ASN.1 definition for this is:
KeyUsage ::= BIT STRING { digitalSignature (0), nonRepudiation (1), keyEncipherment (2), dataEncipherment (3), keyAgreement (4), keyCertSign (5), --> true ONLY for CAs cRLSign (6), encipherOnly (7), decipherOnly (8) }
A certificate can be checked as follow:
X509Certificate cert = ...;
boolean[] keyUsage = cert.getKeyUsage();
if ( keyUsage[5] ) {
// CA certificate
}
else {
// User certificate
}
A Root CA will be a self signed certificate with the keyCertSign flag enabled. In most scenarios the common name may include the word CA for convenience. An intermediate CA certificate may be signed by a Root CA (or another Intermediate!). Your brower key store will have examples of commonly trusted CA certificates.
From The Internet Engineering Task Force
The keyCertSign bit is asserted when the subject public key is
used for verifying a signature on certificates. This bit may only
be asserted in CA certificates.
