• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

How to uniquely identify a X509 Certificate ?

 
Ranch Hand
Posts: 548
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi All,

Basically I am doing the w3c's xml-signature-verification-process for a web service on the sevrver side. For this I extract the certificate from the signature and compare it between requests. Say if I get the request for the first time then I'll extract the certificate as bytes and compute the message digest and put it in a java HashMap as key (key being Certificates's SubjectDN) value object. Next time when the same request comes then I'll repeat the above process and compare the digest with the HashMap values and if a match is found then I would avoid signature verifiation process. Using all this I want to save the time consumed by xml-signatuere verification process.

Now my question is, how to uniquely identify a certificate. If I open the X509 Version 3 Certificate using tools like java keytool, KeyStore Explorer then I can MD5-Fingerprint and SHA1-Fingerprint and I guess these are unique to a certficate. Are these fingerprints unique for a certificate ? If my understanding is correct then are there any java API's available for us to extract these fingerprints and help me in uniquely identifying the certificates.

Please suggest ...


Thanks & Regards,
Kr.
 
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Really good answer, I'm looking for this too and the only thing I have found is the RFC for PKI: http://www.ietf.org/rfc/rfc3280.txt

Look for the section 4.1.2.2 (Serial number).
There it saids that you should use the issuer (CA) name and the serial of the subject digital certificate to identify uniquely a digital certificate.
But if you just want to validate uniqueness for certificates issued by only one CA the certificate serial number is guaranteed to be unique.
 
Ranch Hand
Posts: 220
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The fingerprint should be unique to the certificate and is just be a hash (MD5 or SHA1) of the DER encoding of the certificate. You can get this encoding by using the method.
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic