May 16, 2018

How to Create a Certificate Signature Request (CSR) in Java

import java.io.ByteArrayOutputStream;
import java.io.PrintStream;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.Signature;

import sun.security.pkcs10.PKCS10;
import sun.security.x509.X500Name;

public class GenerateCSR {

    // Collision DO NOT USE public static final String SHA1withRSA = "SHA1withRSA";
    public static final String SHA256withRSA = "SHA256withRSA";
    public static final String SHA384withRSA = "SHA384withRSA";
    public static final String SHA512withRSA = "SHA512withRSA";

    public static void main(String[] args) throws Exception {
        // Generate key pair
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
        keyPairGenerator.initialize(2048, new SecureRandom());
        KeyPair keyPair = keyPairGenerator.genKeyPair();
        PrivateKey privateKey = keyPair.getPrivate();
        PublicKey publicKey = keyPair.getPublic();

        // Subject DN
        String commonName = "Vivette Davis", organizationUnit = "Purchasing", organizationName = "Onizuka, Inc.",
                localityName = "Palo Alto", stateName = "California", country = "CH";
        X500Name x500Name =
                new X500Name(commonName, organizationUnit, organizationName, localityName, stateName, country);

        // Generate PKCS10 certificate request
        PKCS10 pkcs10 = new PKCS10(publicKey);
        Signature signature = Signature.getInstance("SHA256withRSA");
        signature.initSign(privateKey);
        pkcs10.encodeAndSign(x500Name, signature);

        ByteArrayOutputStream bs = new ByteArrayOutputStream();
        pkcs10.print(new PrintStream(bs));
        byte[] csr = bs.toByteArray();

        System.out.println(new String(csr));
    }
}

And when run

-----BEGIN NEW CERTIFICATE REQUEST-----
MIICwDCCAagCAQAwezELMAkGA1UEBhMCQ0gxEzARBgNVBAgTCkNhbGlmb3JuaWEx
EjAQBgNVBAcTCVBhbG8gQWx0bzEWMBQGA1UEChMNT25penVrYSwgSW5jLjETMBEG
A1UECxMKUHVyY2hhc2luZzEWMBQGA1UEAxMNVml2ZXR0ZSBEYXZpczCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAJKD4TawNfl1nb4MQ43NZVr6aIQHyTKn
vry319KCRn5lNeYLb5atU6uKdf3Arbqr0evMFf76yzL9kjE5WL3bbYAXaVQoRkzu
sB/Ot+L0G9u3ezTjHj0Cry4bOGBV3Qny38C6jTso5xMnJH3Z2GT3Qo3ldhPA6a8j
iFF6QxgMwZvr29HFJ97170EF5YzRBCtDkrNVGVnVvIwjaXhgl2jfaZ2nCwvMPM8D
FobiO6HH2OdXmBhjrZKgldRsm1PWnBk/T8TzN1UoNZkLNxoWz0X+OdgQwTkJNqgo
O9UUtlpinJ9uMVFKVUoNx9AaTLrrMvOzYMN2RnHiDndEoZtmY9nP500CAwEAAaAA
MA0GCSqGSIb3DQEBCwUAA4IBAQB53BmcugvXl/HYgdkVGLKZYlZLdJKi9amfY8IJ
yKtBXRvzqUg7oJTtnXBTxjGKx+lldZQlmFULBTzUTiGsEBIgV9FytSZ/ef0VN7AK
fzKF+17CRfuz4uk1syTnLgiBV91R9bDccVetRTk8F8H0MVj/Fdr9KZv6WSSVWNJr
bCQHZEQZhZM5U/3CDvZm9ivnowiwma55OnsyF3LmiawgMEHTazM/EHF82IK0Smu2
oSYxfuT8OvNnpRkdOnDRBpUj45PhORrQBelMJ5H1mgalInLMlVFypNcvfe+jYJ/6
YnwlX9BWga+av6QPzDxrE2amwwXq+gCuz7tIaWh5UzPs8alK
-----END NEW CERTIFICATE REQUEST-----

And to verify with openssl, where you see the Subject, Key Length and Signature Algorithm.

$ openssl req -text -noout -in 1.csr.pem
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=CH, ST=California, L=Palo Alto, O=Onizuka, Inc., OU=Purchasing, CN=Vivette Davis
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:92:83:e1:36:b0:35:f9:75:9d:be:0c:43:8d:cd:
                    65:5a:fa:68:84:07:c9:32:a7:be:bc:b7:d7:d2:82:
                    46:7e:65:35:e6:0b:6f:96:ad:53:ab:8a:75:fd:c0:
                    ad:ba:ab:d1:eb:cc:15:fe:fa:cb:32:fd:92:31:39:
                    58:bd:db:6d:80:17:69:54:28:46:4c:ee:b0:1f:ce:
                    b7:e2:f4:1b:db:b7:7b:34:e3:1e:3d:02:af:2e:1b:
                    38:60:55:dd:09:f2:df:c0:ba:8d:3b:28:e7:13:27:
                    24:7d:d9:d8:64:f7:42:8d:e5:76:13:c0:e9:af:23:
                    88:51:7a:43:18:0c:c1:9b:eb:db:d1:c5:27:de:f5:
                    ef:41:05:e5:8c:d1:04:2b:43:92:b3:55:19:59:d5:
                    bc:8c:23:69:78:60:97:68:df:69:9d:a7:0b:0b:cc:
                    3c:cf:03:16:86:e2:3b:a1:c7:d8:e7:57:98:18:63:
                    ad:92:a0:95:d4:6c:9b:53:d6:9c:19:3f:4f:c4:f3:
                    37:55:28:35:99:0b:37:1a:16:cf:45:fe:39:d8:10:
                    c1:39:09:36:a8:28:3b:d5:14:b6:5a:62:9c:9f:6e:
                    31:51:4a:55:4a:0d:c7:d0:1a:4c:ba:eb:32:f3:b3:
                    60:c3:76:46:71:e2:0e:77:44:a1:9b:66:63:d9:cf:
                    e7:4d
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption
         79:dc:19:9c:ba:0b:d7:97:f1:d8:81:d9:15:18:b2:99:62:56:
         4b:74:92:a2:f5:a9:9f:63:c2:09:c8:ab:41:5d:1b:f3:a9:48:
         3b:a0:94:ed:9d:70:53:c6:31:8a:c7:e9:65:75:94:25:98:55:
         0b:05:3c:d4:4e:21:ac:10:12:20:57:d1:72:b5:26:7f:79:fd:
         15:37:b0:0a:7f:32:85:fb:5e:c2:45:fb:b3:e2:e9:35:b3:24:
         e7:2e:08:81:57:dd:51:f5:b0:dc:71:57:ad:45:39:3c:17:c1:
         f4:31:58:ff:15:da:fd:29:9b:fa:59:24:95:58:d2:6b:6c:24:
         07:64:44:19:85:93:39:53:fd:c2:0e:f6:66:f6:2b:e7:a3:08:
         b0:99:ae:79:3a:7b:32:17:72:e6:89:ac:20:30:41:d3:6b:33:
         3f:10:71:7c:d8:82:b4:4a:6b:b6:a1:26:31:7e:e4:fc:3a:f3:
         67:a5:19:1d:3a:70:d1:06:95:23:e3:93:e1:39:1a:d0:05:e9:
         4c:27:91:f5:9a:06:a5:22:72:cc:95:51:72:a4:d7:2f:7d:ef:
         a3:60:9f:fa:62:7c:25:5f:d0:56:81:af:9a:bf:a4:0f:cc:3c:
         6b:13:66:a6:c3:05:ea:fa:00:ae:cf:bb:48:69:68:79:53:33:
         ec:f1:a9:4a