Generate Key Pairs and Certification Requests - Exercises
Try out the following exercises intended to strengthen your knowledge by allowing you to test and solve tasks on your own.
The following exercises complement How to Generate Key Pairs and Certification Requests and the Training - PKI at the Edge (session 1) which introduces useful concepts and provides additional context.
Exercises
Try running the code for an RSA or EC PKCS10 request. Dump it out using either openssl asn1parse or the BC ASN1Dump utility class. Have a quick look at the PKCS #10: Certification Request Syntax Specification RFC 2986. Can you identify the elements making up the CertificationRequestInfo sequence described in Section 4.1?
Try running the code for an RSA or EC CRMF request using signing as the POP. Dump it out using either
openssl asn1parse
or the BCASN1Dump
utility class. Have a quick look at the Internet X.509 Public Key Infrastructure Certificate Request Message Format (CRMF) RFC 4211. The Java class is a representation of the CertRequest ASN.1 structure which is described in Section 5. Can you identify the elements making up the CertTemplate that is inside the CertRequest sequence?CRMF also supports sending an encrypted copy of the private key, in Bouncy Castle you can create one of these using a
JcaPKIArchiveControlBuilder
. The builder takes the same sort of arguments as a CMSEnvelopedDataGenerator does, which is not surprising as that is what it comes to do internally. Try adding this control to your request.CRMF also supports key agreement keys. Try converting what you have to support a key agreement key and build a request using an EC key that would be used for Diffie-Hellman.
Try adding a request to include a "subjectAlternativeName" extension in a CRMF based request.
There is an
addExtension()
method which will add an extension to the request. For a more in-depth understanding of what is going on here, look up the CertTemplate structure in RFC 4211.