I am working with X509 certificates in Java. Given a certificate is it possible to find all other certificates in the signing hierarchy until you reach the root certificate?
I have a certificate file (with a .cer
extension) and I want to extract the parent signing certificate. I want to keep finding the parent of that certificate untill I get the final root certificate, which is self signed.
I have checked the X509Certificate certificate APIs and relevant APIs in java.security.cert
but could not find anything useful.
Best Answer
That is not hard - assuming you've somehow/out of band got all the intermediate certificates and the root cert in one or more keychains.
Have a look at
for a code snipped which does just that. The key bit is in validateKeyChain() and basically consists of
As to how you get the intermediate/root certificates - that is a different issue. Note that this code is a little bit naive - and does not quite understand cross-signing. The java pkix calls though though - BouncyCastle has an example.
You can generally build the root certs into a key chain; but the intermediate certificates often need to be 'gathered' or discovered more dynamically. This generally requires querying the SSL stack during TLS or similar.