File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Security and the fly likes How to uniquely identify a X509 Certificate ? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Java Interview Guide this week in the Jobs Discussion forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "How to uniquely identify a X509 Certificate ?" Watch "How to uniquely identify a X509 Certificate ?" New topic

How to uniquely identify a X509 Certificate ?

Rr Kumaran
Ranch Hand

Joined: Sep 17, 2001
Posts: 548
Hi All,

Basically I am doing the w3c's xml-signature-verification-process for a web service on the sevrver side. For this I extract the certificate from the signature and compare it between requests. Say if I get the request for the first time then I'll extract the certificate as bytes and compute the message digest and put it in a java HashMap as key (key being Certificates's SubjectDN) value object. Next time when the same request comes then I'll repeat the above process and compare the digest with the HashMap values and if a match is found then I would avoid signature verifiation process. Using all this I want to save the time consumed by xml-signatuere verification process.

Now my question is, how to uniquely identify a certificate. If I open the X509 Version 3 Certificate using tools like java keytool, KeyStore Explorer then I can MD5-Fingerprint and SHA1-Fingerprint and I guess these are unique to a certficate. Are these fingerprints unique for a certificate ? If my understanding is correct then are there any java API's available for us to extract these fingerprints and help me in uniquely identifying the certificates.

Please suggest ...

Thanks & Regards,

RR Kumaran
SCJP 1.4
Jaime Hablutzel

Joined: Dec 25, 2009
Posts: 6
Really good answer, I'm looking for this too and the only thing I have found is the RFC for PKI:

Look for the section (Serial number).
There it saids that you should use the issuer (CA) name and the serial of the subject digital certificate to identify uniquely a digital certificate.
But if you just want to validate uniqueness for certificates issued by only one CA the certificate serial number is guaranteed to be unique.
greg stark
Ranch Hand

Joined: Aug 10, 2006
Posts: 220
The fingerprint should be unique to the certificate and is just be a hash (MD5 or SHA1) of the DER encoding of the certificate. You can get this encoding by using the method.

Nice to meet you.
I agree. Here's the link:
subject: How to uniquely identify a X509 Certificate ?
It's not a secret anymore!