Java access to intermediate CAs from Windows keystores?

Question

I need to build a certificate chain on Windows, from an X.509 smart card cert through one or more intermediate CAs to a root CA. That\'s easy when the CA certs are in a JKS

Answer 1

Jcs had the answer, but I want to show some pseudocode so:

// load the Windows keystore
KeyStore winKeystore = KeyStore.getInstance("Windows-MY", "SunMSCAPI");
winKeystore.load(null, null);

// add the user's smart card cert to the keystore
winKeystore.setCertificateEntry(myAlias, userCertificate);

// build the cert chain! this will include intermediate CAs
Certificate[] chain = winKeystore.getCertificateChain(myAlias);

Windows cert chains aren't validated as they're built, but now you can do the usual thing of creating a CertPath and PKIXParameters and using them to validate the chain.

CertPathValidator certPathValidator = CertPathValidator.getInstance(CertPathValidator.getDefaultType());
certPathValidator.validate(certPath, params);