Module org.shredzone.acme4j
Package org.shredzone.acme4j

Class Certificate

java.lang.Object
org.shredzone.acme4j.AcmeResource
org.shredzone.acme4j.Certificate
All Implemented Interfaces:
Serializable
public class Certificate extends AcmeResource
Represents an issued certificate and its certificate chain.

A certificate is immutable once it is issued. For renewal, a new certificate must be ordered.

See Also:

  • Constructor Details

  • Method Details

    • download

      public void download() throws AcmeException
      Downloads the certificate chain.

      The certificate is downloaded lazily by the other methods. Usually there is no need to invoke this method, unless the download is to be enforced. If the certificate has been downloaded already, nothing will happen.

      Throws:
      AcmeException - if the certificate could not be downloaded

    • getCertificate

      public X509Certificate getCertificate()
      Returns the created certificate.
      Returns:
      The created end-entity X509Certificate without issuer chain.

    • getCertificateChain

      public List<X509Certificate> getCertificateChain()
      Returns the created certificate and issuer chain.
      Returns:
      The created end-entity X509Certificate and issuer chain. The first certificate is always the end-entity certificate, followed by the intermediate certificates required to build a path to a trusted root.

    • getAlternates

      public List<URL> getAlternates()
      Returns URLs to alternate certificate chains.
      Returns:
      Alternate certificate chains, or empty if there are none.

    • getAlternateCertificates

      public List<Certificate> getAlternateCertificates()
      Returns alternate certificate chains, if available.
      Returns:
      Alternate certificate chains, or empty if there are none.
      Since:
      2.11

    • isIssuedBy

      public boolean isIssuedBy(String issuer)
      Checks if this certificate was issued by the given issuer name.
      Parameters:
      issuer - Issuer name to check against, case-sensitive
      Returns:
      true if this issuer name was found in the certificate chain as issuer, false otherwise.
      Since:
      3.0.0

    • findCertificate

      public Optional<Certificate> findCertificate(String issuer)
      Finds a Certificate that was issued by the given issuer name.
      Parameters:
      issuer - Issuer name to check against, case-sensitive
      Returns:
      Certificate that was issued by that issuer, or empty if there was none. The returned Certificate may be this instance, or one of the getAlternateCertificates() instances. If multiple certificates are issued by that issuer, the first one that was found is returned.
      Since:
      3.0.0

    • writeCertificate

      public void writeCertificate(Writer out) throws IOException
      Writes the certificate to the given writer. It is written in PEM format, with the end-entity cert coming first, followed by the intermediate certificates.
      Parameters:
      out - Writer to write to. The writer is not closed after use.
      Throws:
      IOException

    • getCertID

      @Deprecated public String getCertID()
      Deprecated.
      Is not needed in the ACME context anymore and will thus be removed in a later version.
      Returns this certificate's CertID according to RFC 6960.

      This method requires the BouncyCastleProvider security provider.

      Since:
      3.0.0
      See Also:

    • getRenewalInfoLocation

      public Optional<URL> getRenewalInfoLocation()
      Returns the location of the certificate's RenewalInfo. Empty if the CA does not provide this information.
      Since:
      3.0.0
      Draft:
      This method is currently based on an RFC draft. It may be changed or removed without notice to reflect future changes to the draft. SemVer rules do not apply here.

    • hasRenewalInfo

      public boolean hasRenewalInfo()
      Returns true if the CA provides renewal information.
      Since:
      3.0.0
      Draft:
      This method is currently based on an RFC draft. It may be changed or removed without notice to reflect future changes to the draft. SemVer rules do not apply here.

    • getRenewalInfo

      public RenewalInfo getRenewalInfo()
      Reads the RenewalInfo for this certificate.
      Returns:
      The RenewalInfo of this certificate.
      Throws:
      AcmeNotSupportedException - if the CA does not support renewal information.
      Since:
      3.0.0
      Draft:
      This method is currently based on an RFC draft. It may be changed or removed without notice to reflect future changes to the draft. SemVer rules do not apply here.

    • revoke

      public void revoke() throws AcmeException
      Revokes this certificate.
      Throws:
      AcmeException

    • revoke

      public void revoke(@Nullable RevocationReason reason) throws AcmeException
      Revokes this certificate.
      Parameters:
      reason - RevocationReason stating the reason of the revocation that is used when generating OCSP responses and CRLs. null to give no reason.
      Throws:
      AcmeException
      See Also:

    • revoke

      public static void revoke(Login login, X509Certificate cert, @Nullable RevocationReason reason) throws AcmeException
      Revoke a certificate.

      Use this method if the certificate's location is unknown, so you cannot regenerate a Certificate instance. This method requires a Login to your account and the issued certificate.

      Parameters:
      login - Login to the account
      cert - The X509Certificate to be revoked
      reason - RevocationReason stating the reason of the revocation that is used when generating OCSP responses and CRLs. null to give no reason.
      Throws:
      AcmeException
      Since:
      2.6
      See Also:

    • revoke

      public static void revoke(Session session, KeyPair domainKeyPair, X509Certificate cert, @Nullable RevocationReason reason) throws AcmeException
      Revoke a certificate.

      Use this method if the key pair of your account was lost (so you are unable to login into your account), but you still have the key pair of the affected domain and the issued certificate.

      Parameters:
      session - Session connected to the ACME server
      domainKeyPair - Key pair the CSR was signed with
      cert - The X509Certificate to be revoked
      reason - RevocationReason stating the reason of the revocation that is used when generating OCSP responses and CRLs. null to give no reason.
      Throws:
      AcmeException
      See Also: