Certificate generated through CSR signing with BouncyCastle considered untrusted

Question

I am struggling with the following issue:

I have a CSR which I am signing with this code:

@Override
public X509Certificate signCSR( Reader pemcsr, in         


        

Answer 1

If you look at the Issuer DN in your two certificates, they don't match (output from openssl x509 -text):

Issuer: C=AT, ST=Wien, L=Wien, O=Test CA, OU=Test CA, CN=Test CA/emailAddress=testca@testca.com

and

Issuer: emailAddress=testca@testca.com, CN=Test CA, OU=Test CA, O=Test CA, L=Wien, ST=Wien, C=AT

As a result, it's not going to be able to match the wrong issuer to the CA's Subject DN.

Unfortunately, X500Name issuer = new X500Name(cacert.getSubjectX500Principal().getName()) doesn't do what you'd expect. The order of the RDNs is reversed. Generally, re-building the DN from a string representation can fail, since there are different ways of serialising the ASN.1 representation into a string. Java's X500Principal has multiple formats available for getName(...) and it even provides a way to provide your own OID to string maps (for more obscure OIDs). The way emailAddress is separated can also cause problems (notice the way it's separated with a comma or with a slash).

Instead, build the X500Name from the encoded form, this should always work:

X500Name x500Name = X500Name.getInstance(cert
                        .getSubjectX500Principal().getEncoded());