JavaCA is a text interface tool to run your own X.509 (aka SSL) Certificate Authority. OpenSSL has historically been used for this task, but its interface, especially if you want to add subject alternative names to your certificates, is a bit weak. JavaCA aims to be a bit more user-friendly. It also should run on non-UNIX operating systems where OpenSSL may not be available.


JavaCA was developed using Java 1.4 from Sun. It also requires the Bouncy Castle crypto provider. JavaCA was developed against version 1.15 but I recommend trying the latest release first.




0.2: Added support for importing encrypted OpenSSL traditional format keys. Thanks to Philipp Stratmann for the pointer to the Globus Java CoG project which has some code to do the same thing which I was able to borrow from.


Here's a "screenshot" of the main menu, which should give you an idea of what JavaCA can do. Menu options that are "commented out" with a hash mark are not yet implemented.

Main Menu

1:  Issue a new certificate
2:  #Issue a new certificate based on a CSR
3:  #Renew a previously issued certificate
4:  List certificates issued
5:  #Revoke a certificate
6:  Export CA certificate to a file
7:  Exit



To quote the usage message:

Usage:  java -cp bcprov-xxx.jar:. oss.javaca.JavaCA [-d] path/to/CA_keystore

The keystore doesn't have to exist yet, you will
be prompted to create it if necessary.

The -d option turns on debug mode, which causes
stack traces for every Exception caught, and
possibly other useful debug output.

The CA keystore is the file where your CA's private key will be held. It will be password protected, but should also be kept in a safe location. From there it should hopefully be fairly easy to use.

Explanation of Terms


The acronym PKCS is used a lot in cryptography. It stands for Public Key Cryptography Standards. These standards are issued by RSA and can be found on the web at These standards include:

ASN.1, DER and PEM

ASN.1 is a standard for describing data in a portable fashion so that it can be exchanged by computer systems. It is used by all kinds of things from LDAP to cell phones. ASN.1 is used in cryptography for describing keys. DER is a standard for encoding ASN.1 data into a stream of bytes. PEM (RFCs 1421-1424) defined a way to take a stream of bytes and make an ASCII text message out of them. Essentially PEM says you Base64 (RFC 2045, section 6.8) encode the DER encoded data and then wrap it with some header and footer lines.

Key File Formats

Certificates by themselves are easy, they are pretty much always stored in a PEM encoded file.

Private keys are a bit more confusing. There are three common formats. The first is OpenSSL's "traditional" format. OpenSSL defaults to this format and it is what you get if you've followed most of the "How to be your own CA" documents on the web. Because this format is so common for existing keys, JavaCA supports it for importing an existing CA.

The second format is PKCS#8. OpenSSL can transparently read either traditional or PKCS#8 keys, and recommends PKCS#8 format in all of their documentation, so JavaCA does not support writing new certificates out in traditional format, only PKCS#8.

The third format is PKCS#12, which generally is used for distributing a key and certificate to a user. Web browsers in particular support this format for reading in personal certificates. JavaCA supports writing new certificates out in PKCS#12.

Bugs/Wish List

jheiss at
$Id: index.shtml,v 1.2 2004/01/12 03:12:18 jheiss Exp $