Tech and Media Labs
This site uses cookies to improve the user experience.

Java Certificate

Jakob Jenkov
Last update: 2018-02-12

The Java Certificate class ( represents a cryptographic identity certificate. A Java Certificate class instance contains name plus other details of the entity it identifies, plus possibly a digital signature from a Certificate Authority (CA).

The Java Certificate class is an abstract class, so while you may use Certificate as variable type, your variable will always point to a subclass of Certificate.

The Java Certificate class has one subclass - the X509Certificate class. This class represents an X.509 certificate which is used as identity certificate in HTTPS and TLS.

Obtaining a Certificate Instance

You can obtain a Certificate instance in the following ways:

See these two tutorials for more information about obtaining a Certificate instance.


The Java Certificate getEncoded() method returns an encoded version of the Certificate as a byte array. For instance, if the Certificate is an X509Certificate the returned byte array will contain an X.590 (ASN.1 DER) encoded version of the Certificate instance. Here is a getEncoded() example:

byte[] encodedCertificate = certificate.getEncoded();


The Java Certificate getPublicKey() method returns the PublicKey of this Certificate instance. Here is a getPublicKey() example:

PublicKey certificatePublicKey = certificate.getPublicKey();


The Java Certificate getType() method returns the type of the Certificate instance. Here is a getType() example:

String certificateType = certificate.getType();


The Java Certificate class contains three verify() methods. These methods can be used to verify that the Certificate is really signed with the private key matching the expected public key. Here is a Java Certificate verify() example:

// get expected public key from somewhere else (not Certificate instance !!)
PublicKey expectedPublicKey = ... ;


} catch (InvalidKeyException e) {
    // certificate was not signed with given public key

} catch (NoSuchAlgorithmException |
         NoSuchProviderException |
         SignatureException |
         CertificateException e){
    // something else went wrong

The verify() method returns void. If the verification fails, an InvalidKeyException will be thrown. If no exception is thrown the Certificate instance can be considered verified.

Jakob Jenkov

Copyright  Jenkov Aps
Close TOC