[OPENDJ-6174] Make X509CertificateBuilder a public API so that other product teams can use it Created: 04/Apr/19  Updated: 25/Sep/20

Status: Dev backlog
Project: OpenDJ
Component/s: common-repo, core apis, security
Affects Version/s: 7.0.0
Fix Version/s: 7.1.0

Type: Task Priority: Blocker
Reporter: Matthew Swift Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: None

Issue Links:
depends on OPENDJ-6956 Replace Grizzly LDAP transport with R... Dev in Progress
is related to OPENDJ-7193 Consider splitting out ASN.1 and Byte... Dev backlog
Epic Link: Supportable SDK


The org.forgerock.opendj.security.X509CertificateBuilder class provides a simple stable API for constructing X509 certificates which could be useful outside of the DJ code-base. In particular, the AM team use BouncyCastle for generating key-pairs in unit tests, but these break frequently as a result of changes to BC's APIs. In addition the BC APIs are hard to use.

It should be noted that the X509CertificateBuilder class only generates EC keys. We should be careful to keep this class relatively simple and lightweight.

Comment by Cyril Quinton [ 03/May/19 ]

The X509CertificateBuilder class does not generate the key-pair, it is the resposibility of the client to generate it. Hence it can be used with key-pairs other than EC, nevertheless it was only tested with EC keys.

Comment by Matthew Swift [ 29/Jul/20 ]

This issue depends on OPENDJ-6956 which simplifies the ASN.1 hierarchy to a single reader/writer implementation.

Generated at Tue Oct 27 06:32:05 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.