}
// convert to X509CertImpl, so that we can modify selected fields
// (no public APIs available yet)
byte[] encoded = oldCert.getEncoded();
X509CertImpl certImpl = new X509CertImpl(encoded);
X509CertInfo certInfo = (X509CertInfo)certImpl.get(X509CertImpl.NAME +
"." + X509CertImpl.INFO);
// get an X509Certificate from the signing_alias
encoded = signingCert.getEncoded();
X509CertImpl signingCertImpl = new X509CertImpl(encoded);
X509CertInfo signingCertInfo = (X509CertInfo)
signingCertImpl.get(X509CertImpl.NAME
+ "." + X509CertImpl.INFO);
// Extend its validity
int validity = 180; // 180 days default
Date firstDate = new Date();
Date lastDate = new Date();
lastDate.setTime(firstDate.getTime() + validity*1000*24*60*60L);
CertificateValidity interval = new CertificateValidity(firstDate,
lastDate);
certInfo.set(X509CertInfo.VALIDITY, interval);
// Make new serial number
certInfo.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber
((int)(firstDate.getTime()/1000)));
// Set owner and issuer fields
X500Name owner;
// Get the owner name from the certificate
owner = (X500Name)certInfo.get(X509CertInfo.SUBJECT + "." +
CertificateSubjectName.DN_NAME);
// Get the issuer name - the owner of the signing certificate
X500Name issuer;
issuer = (X500Name)signingCertInfo.get(X509CertInfo.SUBJECT + "." +
CertificateSubjectName.DN_NAME);
certInfo.set(X509CertInfo.ISSUER + "." +
CertificateIssuerName.DN_NAME, issuer);
// The inner and outer signature algorithms have to match.
// The way we achieve that is really ugly, but there seems to be no
// other solution: We first sign the cert, then retrieve the
// outer sigalg and use it to set the inner sigalg
X509CertImpl newCert = new X509CertImpl(certInfo);
newCert.sign(privKey, sigAlgName);
AlgorithmId sigAlgid = (AlgorithmId)newCert.get(X509CertImpl.SIG_ALG);
certInfo.set(CertificateAlgorithmId.NAME + "." +
CertificateAlgorithmId.ALGORITHM, sigAlgid);
// Sign the new certificate
newCert = new X509CertImpl(certInfo);
newCert.sign(privKey, sigAlgName);
// Store the new certificate as a single-element certificate chain
keyStore.setKeyEntry(signee_alias, privKey,
(keyPass != null) ? keyPass : storePass,
new Certificate[] { newCert });
System.err.println("New certificate signed & inserted into KeyStore!");
System.err.print(newCert.toString());
System.err.println();
}