It is certainly possible, and you should do the following things:
- generate a key pair on card, try to go for the maximum key size (2048 bits), note that this may take a long time, and if the card or reader does not handle connection time-outs gracefully, you may be in trouble;
- create a PKCS#10 certificate request, on card on on the terminal - this is a data structure, which utilizes ASN.1 DER encoding;
- sign the PKCS#10 request with the private key of the key pair;
- send the PKCS#10 request to a Certification Authority (CA);
- import the returned certificate;
Your Java Card should support RSA or EC key pair generation and signature/verification operations. Most cards nowadays do, but there may be a few that don't have an asymmetric co-processor.
This answer assumes that you create a new key pair, as using an older private key is less safe. If you want to load an existing private key you can simply call all the setters of the RSAPrivateKey
, or the faster RSAPrivateCrtKey
. Both objects need to be created using a Java Card KeyBuilder
instance.
Note that this may require a lot of knowledge. You might be better off using an open source solution like MuscleCard.