Mocking is an essential part of unit testing, and the Mockito library makes it easy to write clean and intuitive unit tests for your Java code.
Get started with mocking and improve your application tests using our Mockito guide:
Handling concurrency in an application can be a tricky process with many potential pitfalls. A solid grasp of the fundamentals will go a long way to help minimize these issues.
Get started with understanding multi-threaded applications with our Java Concurrency guide:
Spring 5 added support for reactive programming with the Spring WebFlux module, which has been improved upon ever since. Get started with the Reactor project basics and reactive programming in Spring Boot:
Since its introduction in Java 8, the Stream API has become a staple of Java development. The basic operations like iterating, filtering, mapping sequences of elements are deceptively simple to use.
But these can also be overused and fall into some common pitfalls.
To get a better understanding on how Streams work and how to combine them with other language features, check out our guide to Java Streams:
Explore Spring Boot 3 and Spring 6 in-depth through building a full REST API with the framework:
Yes, Spring Security can be complex, from the more advanced functionality within the Core to the deep OAuth support in the framework.
I built the security material as two full courses - Core and OAuth, to get practical with these more complex scenarios. We explore when and how to use each feature and code through it on the backing project.
You can explore the course here:
Spring Data JPA is a great way to handle the complexity of JPA with the powerful simplicity of Spring Boot.
Get started with Spring Data JPA through the guided reference course:
Refactor Java code safely — and automatically — with OpenRewrite.
Refactoring big codebases by hand is slow, risky, and easy to put off. That’s where OpenRewrite comes in. The open-source framework for large-scale, automated code transformations helps teams modernize safely and consistently.
Each month, the creators and maintainers of OpenRewrite at Moderne run live, hands-on training sessions — one for newcomers and one for experienced users. You’ll see how recipes work, how to apply them across projects, and how to modernize code with confidence.
Join the next session, bring your questions, and learn how to automate the kind of work that usually eats your sprint time.
Distributed systems often come with complex challenges such as service-to-service communication, state management, asynchronous messaging, security, and more.
Dapr (Distributed Application Runtime) provides a set of APIs and building blocks to address these challenges, abstracting away infrastructure so we can focus on business logic.
In this tutorial, we'll focus on Dapr's pub/sub API for message brokering. Using its Spring Boot integration, we'll simplify the creation of a loosely coupled, portable, and easily testable pub/sub messaging system:
1. Overview
Signing a Certificate Signing Request (CSR) is a common operation in cryptography. In this tutorial, we’ll learn how to sign a CSR using the Bouncy Castle library.
2. Signing a CSR
Signing a CSR is a process by which a Certificate Authority (CA) validates the information in the CSR and issues a certificate. The CA signs the certificate using its private key. The signed certificate can then establish secure connections between clients and servers.
To sign a CSR using Bouncy Castle, we need to perform a few basic steps:
- Generate a trusted entity CA certificate and a private key.
- Generate the Certificate Signing Request (CSR).
- Sign the CSR using the CA certificate and private key.
3. Setup
We need to add the Bouncy Castle library to our project so that we can use it to sign a CSR. Let’s add its Maven dependency to our pom.xml file:
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcpkix-jdk18on</artifactId>
<version>1.76</version>
</dependency>
Next, we need to create a SecurityProvider class to register the Bouncy Castle provider:
static {
Security.addProvider(new BouncyCastleProvider());
}4. Sign a CSR Using Bouncy Castle
Signing a CSR using Bouncy Castle involves several steps. Let’s go through each step in detail.
4.1. Generate a Trusted Entity CA Certificate and a Private Key
The CA is a trusted entity that issues certificates to clients. We must generate a CA certificate and private key to sign the CSR. Let’s start by generating a key pair:
public static KeyPair generateRSAKeyPair() {
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
keyPairGenerator.initialize(2048);
return keyPairGenerator.generateKeyPair();
}4.2. Generate the Certificate Signing Request
Let’s create the Certificate Signing Request (CSR) based on our key pair:
public static PKCS10CertificationRequest generateCSR(KeyPair pair) {
PKCS10CertificationRequestBuilder p10Builder = new JcaPKCS10CertificationRequestBuilder(
new X500Principal("CN=Requested Test Certificate"), pair.getPublic());
JcaContentSignerBuilder csBuilder = new JcaContentSignerBuilder("SHA256withRSA");
ContentSigner signer = csBuilder.build(pair.getPrivate());
return p10Builder.build(signer);
}4.3. Sign the Certificate Signing Request
Next, we must create a certificate generator to sign the CSR using the CA certificate and private key. Let’s go through the code to sign the CSR:
public X509Certificate sign(PKCS10CertificationRequest inputCSR, PrivateKey caPrivate, KeyPair pair) {
AlgorithmIdentifier sigAlgId = new DefaultSignatureAlgorithmIdentifierFinder().find("SHA1withRSA");
AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId);
AsymmetricKeyParameter foo = PrivateKeyFactory.createKey(caPrivate.getEncoded());
SubjectPublicKeyInfo keyInfo = SubjectPublicKeyInfo.getInstance(pair.getPublic().getEncoded());
X509v3CertificateBuilder myCertificateGenerator = new X509v3CertificateBuilder(
new X500Name("CN=issuer"),
new BigInteger("1"),
new Date(System.currentTimeMillis()),
new Date(System.currentTimeMillis() + 30L * 365 * 24 * 60 * 60 * 1000),
inputCSR.getSubject(),
keyInfo);
ContentSigner sigGen = new BcRSAContentSignerBuilder(sigAlgId, digAlgId).build(foo);
X509CertificateHolder holder = myCertificateGenerator.build(sigGen);
Certificate eeX509CertificateStructure = holder.toASN1Structure();
CertificateFactory cf = CertificateFactory.getInstance("X.509", "BC");
InputStream is1 = new ByteArrayInputStream(eeX509CertificateStructure.getEncoded());
X509Certificate theCert = (X509Certificate) cf.generateCertificate(is1);
is1.close();
return theCert;
}The method begins by identifying the signature and digest algorithms to be used for signing the certificate. We use the DefaultSignatureAlgorithmIdentifierFinder and DefaultDigestAlgorithmIdentifierFinder classes to find these algorithms.
AsymmetricKeyParameter is used to create the CA’s private key from the encoded bytes. We use the PrivateKeyFactory class to create the private key from the encoded bytes. SubjectPublicKeyInfo is used to specify the public key information.
Next, we create the certificate builder. It sets the issuer, serial number, validity period, subject, and public key for the certificate.
Then, we create ContentSigner using the signature and digest algorithms and the CA’s private key, which is used to sign the certificate.
Finally, the method builds the certificate, converts it to an X509Certificate, and returns it.
5. Testing
Let’s write a test to verify the signing process:
@Test
public void givenCSR_whenSignWithBC_thenSuccess() {
SignCSRBouncyCastle signCSRBouncyCastle = new SignCSRBouncyCastle();
KeyPair pair = SignCSRBouncyCastle.generateRSAKeyPair();
PKCS10CertificationRequest csr = SignCSRBouncyCastle.generateCSR(pair);
KeyPair caPair = SignCSRBouncyCastle.generateRSAKeyPair();
X509Certificate signedCert = signCSRBouncyCastle.signCSR(csr, caPair.getPrivate(), pair);
assertThat(signedCert).isNotNull();
assertThat(signedCert.getSubjectDN().getName()).isEqualTo("CN=Requested Test Certificate");
assertDoesNotThrow(() -> signedCert.verify(caPair.getPublic()));
}In the test, we generate a key pair and create a CSR. Then, we generate a CA key pair and sign the CSR using the CA private key. Finally, we verify the signed certificate using the CA public key.
6. Conclusion
In this tutorial, we learned how to sign a CSR using the Bouncy Castle library. We generated a key pair, created a CSR, generated a CA key pair, and signed the CSR using a CA certificate. We also wrote a test to verify the signing process.
