Featured White Papers

• Why choose an Open Source BPM?
• 10 FAQs on Business Process Management
• Best Practices for Getting Started with BPM
• Free Your Devs From The Pain Of Java Redeploys
• Increase Velocity 40% by Using JRebel
• What Developers Want: The End of Application Redeploys
• Developer Productivity Report: Java Tools, Tech, Devs, and Data
• Coding with JRebel: Java Forever Changed
• Utilizing Fast Testing to Transform Java Development
• Do You Really Get Classloaders?
• Pragmatic Continuous Delivery with Jenkins, Nexus, and LiveRebel
• Your Next Java Web App: Less XML, No Long Restarts, Fewer Hassles
• Coding with JRebel, Java Forever Changed
• 2012 Developer Productivity Report: Java Tools, Tech, Devs, and Data

Sponsored Links

• APIs for Java Programmers: Manage & Convert DOC, XLS, PPT, PDF & More

• Instantly Preview Java Code Changes: JRebel.com

Sponsored Links

Optimize with a SATA RAID Storage Solution
Range of capacities as low as $1250 per TB. Ideal if you currently rely on servers/disks/JBODs

Construct secure networked applications with certificates, Part 2

Learn to use X.509 certificates

By Todd Sundsted, JavaWorld.com, 02/16/01

Many different flavors of certificates are available, including SDSI (simple distributed security infrastructure), PGP (pretty good privacy), and X.509. This month, to further expand your security vocabulary, I will describe the certificate format that leads the pack and is a key component of the emerging PKI standards: the X.509 certificate.

You can read the whole series on certificates:

• Part 1: Certificates add value to public-key cryptography
• Part 2: Learn to use the X.509 certificates
• Part 3: Use the Java CRL and X509CRL classes
• Part 4: Authenticate clients and servers, and verify certificate chains

The X.509 format in detail

The International Telecommunication Union (ITU) developed and published the X.509 certificate format, which was selected by the Public Key Infrastructure X.509 (PKIX) working group of the Internet Engineering Task Force (IETF). If acronyms indicate strength, X.509 clearly has powerful allies.

Using a notation called ASN.1 (Abstract Syntax Notation One), the X.509 standard defines a certificate's format. ASN.1 is a standardized language that describes abstract data types in a platform-independent manner.

The "Internet X.509 Public Key Infrastructure -- Certificate and CRL Profile" document (see Resources for a link) published by the PKIX working group describes an X.509 certificate format in terms of ASN.1 notation. It's a fascinating read if you're interested in that sort of thing.

A data type -- such as a certificate -- defined in ASN.1 isn't useful until it can unambiguously define how to represent an instance of a data type as a series of bits. To give the data type that functionality, ASN.1 uses the Distinguished Encoding Rules (DER), which define how to uniquely encode any ASN.1 object.

With a copy of an X.509 certificate's ASN.1 definition and a knowledge of the DER, you can write a Java application that will read and write X.509 certificates and interoperate with similar applications written in other programming languages. Luckily, you will probably never have to go to that much trouble because the Java 2 Platform, Standard Edition (J2SE) comes with built-in support for X.509 certificates.

X.509 for (almost) nothing

All of the certificate-related classes and interfaces reside in the package java.security.cert. Like the other members of Sun's family of security APIs, the certificate package was designed around the factory paradigm, in which one or more Java classes define a generic interface to a package's intended functionality. The classes are abstract, so applications cannot instantiate them directly. Instead, a factory class's instance creates and returns instances of the abstract classes' particular subtypes. The factory paradigm circumvents Java's strong typing, but in return, permits the code to run without recompilation in a broader range of environments.