Win a copy of Functional Reactive Programming this week in the Other Languages forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

How to uniquely identify a X509 Certificate ?

 
Rr Kumaran
Ranch Hand
Posts: 548
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi All,

Basically I am doing the w3c's xml-signature-verification-process for a web service on the sevrver side. For this I extract the certificate from the signature and compare it between requests. Say if I get the request for the first time then I'll extract the certificate as bytes and compute the message digest and put it in a java HashMap as key (key being Certificates's SubjectDN) value object. Next time when the same request comes then I'll repeat the above process and compare the digest with the HashMap values and if a match is found then I would avoid signature verifiation process. Using all this I want to save the time consumed by xml-signatuere verification process.

Now my question is, how to uniquely identify a certificate. If I open the X509 Version 3 Certificate using tools like java keytool, KeyStore Explorer then I can MD5-Fingerprint and SHA1-Fingerprint and I guess these are unique to a certficate. Are these fingerprints unique for a certificate ? If my understanding is correct then are there any java API's available for us to extract these fingerprints and help me in uniquely identifying the certificates.

Please suggest ...


Thanks & Regards,
Kr.
 
Jaime Hablutzel
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Really good answer, I'm looking for this too and the only thing I have found is the RFC for PKI: http://www.ietf.org/rfc/rfc3280.txt

Look for the section 4.1.2.2 (Serial number).
There it saids that you should use the issuer (CA) name and the serial of the subject digital certificate to identify uniquely a digital certificate.
But if you just want to validate uniqueness for certificates issued by only one CA the certificate serial number is guaranteed to be unique.
 
greg stark
Ranch Hand
Posts: 220
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The fingerprint should be unique to the certificate and is just be a hash (MD5 or SHA1) of the DER encoding of the certificate. You can get this encoding by using the method.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic