Generating a selfcertificate programatically

It seems that there is no way to generate a selfcertificate via a JRE API. For instance java.security.cert.CertificateFactory needs to read an already existing certificate (encoding) from an InputStream. While CertPathBuilder requires LDAP or a Collection of certificates.

I do not want to force the users to pay to a CA, any free alternatives?
In fact, I would like the program would allow the user to generate the selfcertificates, preventing the user of knowing/managing the keytool utility.
I know they are not said to be reliable. But I think the user can phone the owner/subject of the selfcertificate to find out the "digitall firm" and check its autenticity. This is how I would like my program worked.

[ June 28, 2004: Message edited by: Jose Botella ]

[ June 28, 2004: Message edited by: Jose Botella ]
[ June 29, 2004: Message edited by: Jose Botella ]

Hey I have found the bouncycastle.org site. Now it seems I am on the track!
/* The program simulates the transfer of a selfcertificate, generated programatically, * say from Alice to Bob. * If the file named: transmitter.cert does not exist in the executing dir * a FileNotFoundException is caught. Then we create a public priate key pair and a * certificate for the public key. We add both as an entry to a privateKS that should be * kept under secret. At last, we "export" the DER encoded form to a file named * transmitter.cert. If the program is executed a second time, the file transmitter.cert * exists. We create a X509Certificate from it and add it to a "trusted" keystore. * In both cases we print a digest of the signature. The first execution of the program * pretends to be in Alice computer. Alice generates a key pair and a certificate of the * public key. Then sends the certificate to Bob. Bob before adding the certificate to the * trusted keystore, phones Alice and ask her for for the digest of the certificate. If *it is the same as the one he has seen (second execution of the program) the certificate *is for the public key from Alice. */ package josebotella.filetransfer.secure; import java.security.*; import java.security.cert.Certificate; import java.security.cert.*; import java.security.spec.*; import java.io.*; import java.util.*; import java.math.*; import org.bouncycastle.jce.X509V3CertificateGenerator; import org.bouncycastle.jce.X509Principal; import org.bouncycastle.jce.provider.BouncyCastleProvider; public class FileTranfer { private static char[] keyStorePass = new char[] { 'p', 'a', 's', 's', 'w', 'o', 'r', 'd' }; static X509V3CertificateGenerator v3CertGen = new X509V3CertificateGenerator(); static MessageDigest digester; public static void main (String[] args) throws Exception { Security.addProvider(new BouncyCastleProvider()); digester = MessageDigest.getInstance("MD5"); String keystoreFile = "FileTransfer.privateKS"; FileInputStream fis; KeyPairGenerator KPGen = null; KeyStore trustedKS = KeyStore.getInstance("JKS"); KeyStore privateKS = KeyStore.getInstance("JKS"); try { fis = new FileInputStream("transmitter.cert"); CertificateFactory factory = CertificateFactory.getInstance("X509"); X509Certificate toBeTrusted = (X509Certificate) factory.generateCertificate( fis); trustedKS.load(null, "unrelatedpass".toCharArray()); trustedKS.setCertificateEntry("transmitterKeyPair.cert", toBeTrusted); //trustedKS.store( new FileOutputStream("Receiver.trustedKS"), keyStorePass ); System.out.println(trustedKS.getCertificate("transmitterKeyPair.cert")); printDigest(toBeTrusted); } catch (FileNotFoundException e) { fis = null; privateKS.load(fis, keyStorePass); KPGen = KeyPairGenerator.getInstance("RSA"); KPGen.initialize(1024); KeyPair KPair = KPGen.generateKeyPair(); v3CertGen.setSerialNumber(BigInteger.valueOf(1)); v3CertGen.setIssuerDN( new X509Principal("CN=Jose, OU=test, O=SOHO " + "L=Caceres, C=SP") ); v3CertGen.setNotBefore(new Date(System.currentTimeMillis() - 1000L * 60 * 60 * 24 * 30)); v3CertGen.setNotAfter(new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 30))); v3CertGen.setSubjectDN(new X509Principal("CN=Jose, OU=test, O=SOHO " + "L=Caceres, C=SP") ); v3CertGen.setPublicKey(KPair.getPublic()); v3CertGen.setSignatureAlgorithm("MD5WithRSAEncryption"); X509Certificate PKCertificate = v3CertGen.generateX509Certificate( KPair.getPrivate()); privateKS.setKeyEntry( "transmitterKeyPair" , KPair.getPrivate() , new char[] { 'e', 'n', 't', 'r', 'y', 'p', 'a', 's', 's' } , new Certificate[] { PKCertificate } ); //privateKS.store( new FileOutputStream(keystoreFile), keyStorePass ); FileOutputStream fos = new FileOutputStream("transmitter.cert"); fos.write(PKCertificate.getEncoded()); fos.close(); printDigest(PKCertificate); } } static void printDigest(X509Certificate certi) { byte[] sig = certi.getSignature(); digester.update(sig); byte[] digest = digester.digest(); for(int i = 0; i< digest.length; i++) System.out.print(digest[i]); System.out.println(); } }
Dou you think this practice is secure or unfeasible?