Java X509Certificate issuer validation

Question

I'm implementing communication using X509Certificates and are struggling with validating the certificate.

I've gotten a "parent" certificate that is self-signed and used to sign all other certificates.

This has been done and I've gotten the certificate.

In the next step, the other part is signing my certificates and I'm to store them.

Here is the first problem: My certificates that is returned does not correspond to the once I've created, so the public key differs. How can I now update my keystore with the signed certificate? Hence I need the privatekey from my certificate but I need the signed version from the returned certificate.

Next problem: The signed certificates needs to be validated and checked against the parent certificate, but when doing this, like follows:

X509Certificate parent;
X509Certificate certToVerify;
parent.verify(certToVerify.getPublicKey());

It throws, signature error, java.security.SignatureException: Signature does not match.

Is there any other way that I should check the issuer or verify the certificate? Is there something I've missed?

best, Henrik

Answer 1

For your 1st issue, you should be getting back a signed certificate in response to a certificate signing request (CSR). For example, you generated a private key, then created a CSR. You send that CSR (which contains your public key) to a Certificate Authority (CA). The CA verifies your identity and returns a signed certificate to you. This signed certificate should contain the SAME public key as was in your CSR. You can take the signed certificate and import it into your keystore. If you already had a self signed certificate for that private key, the imported signed cert should replace it.

For your 2nd issue, you need to switch the statements around. You need to verify the signed certificate with the parent's public key.

X509Certificate parent = ...;
X509Certificate certToVerify = ...;
certToVerify.verify(parent.getPublicKey());