This week's book giveaway is in the Servlets forum.
We're giving away four copies of Murach's Java Servlets and JSP and have Joel Murach on-line!
See this thread for details.
The moose likes Security and the fly likes How to identify if X509Certificate is CA certificate ? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "How to identify if X509Certificate is CA certificate ?" Watch "How to identify if X509Certificate is CA certificate ?" New topic
Author

How to identify if X509Certificate is CA certificate ?

Jurica Krizanic
Ranch Hand

Joined: Dec 11, 2008
Posts: 38

Hello,
I have an X509Certificate and I need to identify if it is a CA certificate or user certificarte.

Anyone knows how to do it?

Not sure if I can rely on KeyUsage parameters.

Thanks in advance!

Best regards,
Jurica Krizanic


Jurica Krizanic - Java developer, OCPJP6, Spring Core certified developer!
Jurica Krizanic
Ranch Hand

Joined: Dec 11, 2008
Posts: 38

According to the research I have performed, it can be checked by checking basic constraints! Check the API of X509Certificate class for returning results of getBasicConstraints() method.

So if the method returns result != -1, a certificate can be considered as a CA certificate.

I have checked this with several CA certificates (root and intermediate), and it works as described.

I have also checked this method with several user certificates, and the method returns -1 as result.
Rishi Shah
Ranch Hand

Joined: Sep 05, 2012
Posts: 43

If you pass it through the default TrustManager, it should throw an exception if it is a user-signed certificate and not CA.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: How to identify if X509Certificate is CA certificate ?
 
Similar Threads
Certificate Trust
how to extract private key from pfx(PKCS) certificate using java code
Read client certificate in a Servlet
X509Certificate Authentication
J2ME and Bouncycastle