Managing X.509 Certificates

A certificate is a digitally signed statement vouching for the identity and public key of an entity (person, company, and so on). Certificates can either be self-signed or issued by a Certificate Authority (CA), which is an entity that is trusted to issue valid certificates for other entities. Well-known CAs (at the time of this writing) include Comodo, Entrust, and GoDaddy. X.509 is a common certificate format.

The Java platform includes a special built-in key store, cacerts, that contains a number of certificates for well-known, trusted CAs. The keytool command is able to list the certificates included in cacerts. See Certificate Structure and Analysis Methods for more information.

The sections below provide information on a variety of topics related to X.509 certificates in the JDK.

Certificate Structure and Analysis Methods

Learn how X.509 certificates are structured. Find out how to access the information contained in a certificate, such as who issued it and when it will expire.

Expired Certificates

Learn how to check a certificate"s validity, and how to replace expired certificates.

Revoked Certificates

The revocation status of a certificate must be verified before it can be trusted. Learn more about how this is done.

Certificate Signing Requests (CSR)

A certificate signing request (CSR) allows a client to ask for an X.509 certificate to be issued.

Other Certificate Troubleshooting Topics

• How to deal with certificates from non-trusted Certificate Authorities
• Revoked Certificates in Truststores Such as the cacerts Keystore or JSSE Truststore