wood burning stoves 2.0*
The moose likes Security and the fly likes How to identify if X509Certificate is CA certificate ? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "How to identify if X509Certificate is CA certificate ?" Watch "How to identify if X509Certificate is CA certificate ?" New topic
Author

How to identify if X509Certificate is CA certificate ?

Jurica Krizanic
Ranch Hand

Joined: Dec 11, 2008
Posts: 38

Hello,
I have an X509Certificate and I need to identify if it is a CA certificate or user certificarte.

Anyone knows how to do it?

Not sure if I can rely on KeyUsage parameters.

Thanks in advance!

Best regards,
Jurica Krizanic


Jurica Krizanic - Java developer, OCPJP6, Spring Core certified developer!
Jurica Krizanic
Ranch Hand

Joined: Dec 11, 2008
Posts: 38

According to the research I have performed, it can be checked by checking basic constraints! Check the API of X509Certificate class for returning results of getBasicConstraints() method.

So if the method returns result != -1, a certificate can be considered as a CA certificate.

I have checked this with several CA certificates (root and intermediate), and it works as described.

I have also checked this method with several user certificates, and the method returns -1 as result.
Rishi Shah
Ranch Hand

Joined: Sep 05, 2012
Posts: 43

If you pass it through the default TrustManager, it should throw an exception if it is a user-signed certificate and not CA.
 
 
subject: How to identify if X509Certificate is CA certificate ?