Write x509 certificate into PEM formatted string in java?

Question

Is there some high level way to write an X509Certificate into a PEM formatted string? Currently I\'m doing x509cert.encode() to write it into a DER formatted string, then ba

Answer 1

Previous answer gives compatibility problems with 3de party software (like PHP), because PEM cert is not correctly chunked.

Imports:

import org.apache.commons.codec.binary.Base64;

Code:

protected static String convertToPem(X509Certificate cert) throws CertificateEncodingException {
 Base64 encoder = new Base64(64);
 String cert_begin = "-----BEGIN CERTIFICATE-----\n";
 String end_cert = "-----END CERTIFICATE-----";

 byte[] derCert = cert.getEncoded();
 String pemCertPre = new String(encoder.encode(derCert));
 String pemCert = cert_begin + pemCertPre + end_cert;
 return pemCert;
}

Answer 2

Yet another alternative for encoding using Guava's BaseEncoding:

import com.google.common.io.BaseEncoding;

public static final String LINE_SEPARATOR = System.getProperty("line.separator");
public static final int LINE_LENGTH = 64;

And then:

String encodedCertText = BaseEncoding.base64()
                                     .withSeparator(LINE_SEPARATOR, LINE_LENGTH)
                                     .encode(cert.getEncoded());

Answer 3

Using some tiny Base64 I made below thing which does not depend on other things like base64 or bouncycastle.

import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
class Convert {
    private static byte[] convertToPem(X509Certificate cert)
        throws CertificateEncodingException {
        String cert_begin = "-----BEGIN CERTIFICATE-----\n";
        String end_cert = "-----END CERTIFICATE-----\n";
        String b64 = encode(cert.getEncoded()).replaceAll("(.{64})", "$1\n");
        if (b64.charAt(b64.length() - 1) != '\n') end_cert = "\n" + end_cert;
        String outpem = cert_begin + b64 + end_cert;
        return outpem.getBytes();
    }

    // Taken from https://gist.github.com/EmilHernvall/953733
    private static String encode(byte[] data) {
        String tbl = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
        StringBuilder buffer = new StringBuilder();
        int pad = 0;
        for (int i = 0; i < data.length; i += 3) {
            int b = ((data[i] & 0xFF) << 16) & 0xFFFFFF;
            if (i + 1 < data.length) b |= (data[i+1] & 0xFF) << 8;
            else pad++;
            if (i + 2 < data.length) b |= (data[i+2] & 0xFF);
            else pad++;
            for (int j = 0; j < 4 - pad; j++, b <<= 6) {
                int c = (b & 0xFC0000) >> 18;
                buffer.append(tbl.charAt(c));
            }
        }
        for (int j = 0; j < pad; j++) buffer.append("=");
        return buffer.toString();
    }
}

Answer 4

This is not bad. Java doesn't provide any functions to write PEM files. What you are doing is the correct way. Even KeyTool does the same thing,

BASE64Encoder encoder = new BASE64Encoder();
out.println(X509Factory.BEGIN_CERT);
encoder.encodeBuffer(cert.getEncoded(), out);
out.println(X509Factory.END_CERT);

If you use BouncyCastle, you can use PEMWriter class to write out X509 certificate in PEM.