Storing Certificates

Storing Certificates

A ServerCertificateList contains a list of certificates. It is used to store certificates where the private key is not known, as the situation is for certificates received from a server, or trusted root certificates from certificate authorities. A ClientCertificateList contains a list of client certificates, and for each certificate in the list there is a private key that belongs to the public key of the certificate.

Both ServerCertificateList and ClientCertificateList have the methods addCertificate( ) and removeCertificate( ), for adding and removing certificates. addCertificate( ) in ClientCertificateList also takes a second argument of a private key that belongs to the certificate.

Both classes contain a method restoreListFromPEM( ), which is a convenience method that loads certificates from file. In ServerCertificateList this is a list of PEM encoded X.509 certificates in text form. Between the certificate blocks, comments are allowed. For ClientCertificateList it is a list of PEM encoded certificates, each immediately followed by a PEM-encoded PKCS#8 private key, optionally encrypted using the PKCS#5 format. To support encryption, restoreListFromPEM( ) in ClientCertificateList takes a second argument, which is a PKCS8PrivateKeyFactory. This class can be created with a key (password) for decryption. Then all the private keys are assumed to be encrypted with this key.

Creating a Certification Authorities List (CAList)

A list of the certificates you trust must be installed in the certificate manager. The current certificate manager can be found using the static getCertificateManager( ) call. The setCAList( ) call in CertificateManager installs a list of trusted CAs. The parameter to this method is a ServerCertificateList, to which certificates can be inserted or removed. The restoreListFromPEM( ) method can be used to load a CA list from file.