extgen.addExtension(oid, ext.isCritical(), ext.getValue().getOctets());
// Second we see if there is Key usage override
X509Extensions overridenexts = extgen.generate();
if (certProfile.getAllowKeyUsageOverride() && (keyusage >= 0)) {
if (log.isDebugEnabled()) {
log.debug("AllowKeyUsageOverride=true. Using KeyUsage from parameter: "+keyusage);
if ( (certProfile.getUseKeyUsage() == true) && (keyusage >=0) ){
X509KeyUsage ku = new X509KeyUsage(keyusage);
// We don't want to try to add custom extensions with the same oid if we have already added them
// from the request, if AllowExtensionOverride is enabled.
// Two extensions with the same oid is not allowed in the standard.
if (overridenexts.getExtension(X509Extensions.KeyUsage) == null) {
X509Extensions.KeyUsage, certProfile.getKeyUsageCritical(), ku);
} else {
if (log.isDebugEnabled()) {
log.debug("KeyUsage was already overridden by an extension, not using KeyUsage from parameter.");
// Third, check for standard Certificate Extensions that should be added.
// Standard certificate extensions are defined in CertificateProfile and CertificateExtensionFactory
// and implemented in package org.ejbca.core.model.certextensions.standard
CertificateExtensionFactory fact = CertificateExtensionFactory.getInstance();
List<String> usedStdCertExt = certProfile.getUsedStandardCertificateExtensions();
Iterator<String> certStdExtIter = usedStdCertExt.iterator();
overridenexts = extgen.generate();
String oid = certStdExtIter.next();
// We don't want to try to add standard extensions with the same oid if we have already added them
// from the request, if AllowExtensionOverride is enabled.
// Two extensions with the same oid is not allowed in the standard.
if (overridenexts.getExtension(new DERObjectIdentifier(oid)) == null) {
CertificateExtension certExt = fact.getStandardCertificateExtension(oid, certProfile);
if (certExt != null) {
DEREncodable value = certExt.getValue(subject, this, certProfile, publicKey, caPublicKey);
if (value != null) {
extgen.addExtension(new DERObjectIdentifier(certExt.getOID()),certExt.isCriticalFlag(),value);
} else {
if (log.isDebugEnabled()) {
log.debug("Extension with oid "+oid+" has been overridden, standard extension will not be added.");
// Fourth, check for custom Certificate Extensions that should be added.
// Custom certificate extensions is defined in certextensions.properties
fact = CertificateExtensionFactory.getInstance();
List<Integer> usedCertExt = certProfile.getUsedCertificateExtensions();
Iterator<Integer> certExtIter = usedCertExt.iterator();
Integer id = certExtIter.next();
CertificateExtension certExt = fact.getCertificateExtensions(id);
if (certExt != null) {
// We don't want to try to add custom extensions with the same oid if we have already added them
// from the request, if AllowExtensionOverride is enabled.
// Two extensions with the same oid is not allowed in the standard.
if (overridenexts.getExtension(new DERObjectIdentifier(certExt.getOID())) == null) {
DEREncodable value = certExt.getValue(subject, this, certProfile, publicKey, caPublicKey);
if (value != null) {
extgen.addExtension(new DERObjectIdentifier(certExt.getOID()),certExt.isCriticalFlag(),value);
} else {
if (log.isDebugEnabled()) {
log.debug("Extension with oid "+certExt.getOID()+" has been overridden, custom extension will not be added.");
// Finally add extensions to certificate generator
X509Extensions exts = extgen.generate();
Enumeration en = exts.oids();
while (en.hasMoreElements()) {
DERObjectIdentifier oid = (DERObjectIdentifier)en.nextElement();
X509Extension ext = exts.getExtension(oid);
certgen.addExtension(oid, ext.isCritical(), ext.getValue().getOctets());
// End of extensions