1. Overview
The Common Name (CN) is an attribute within the Distinguished Name (DN) field in an X.509 certificate. The CN is usually the domain name of the organization to which the certificate belongs. Sometimes, we need to access the CN value from the certificate file in our application.
In this tutorial, we’ll learn different ways of extracting the CN value in Java.
2. Common Name
A certificate contains information about the owner of the certificate: duration of validity, certificate usage, DN, etc.
The Distinguished Name or DN essentially consists of a set of name-value pairs, with names like Country (C), Organization (O), Organizational Unit (OU), CN, and a few others.
A DN looks something like “CN=Baeldung, L=Casablanca, ST=Morocco, C=MA“. As shown in this example, the CN is usually the domain name of the site.
To extract the CN from an X.509 certificate in Java, we can do the following:
- Parse the certificate
- Get its DN
- Parse the DN to extract the CN
In the following sections, we’ll extract the CN using different libraries.
3. Using the BouncyCastle
BouncyCastle is a collection of APIs for the cryptographic operations that complements the default Java Cryptographic Extension (JCE). Also, it provides an easy way to get information about the certificate.
3.1. Maven Dependency
Let’s start by declaring the bouncycastle dependency in our pom.xml:
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcpkix-jdk15on</artifactId>
<version>1.70</version>
</dependency>
First, let’s get an X509Certificate object from our certificate file:
Security.addProvider(new BouncyCastleProvider());
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509", "BC");
X509Certificate certificate = (X509Certificate) certificateFactory.generateCertificate(new FileInputStream("src/main/resources/Baeldung.cer"));
In the code above, we register the BouncyCastleProvider as a security provider using the addProvider() method. After that, we create a CertificateFactory object using the getInstance() method. The getInstance() method takes two arguments – the certificate type “X.509” and the security provider “BC“. The certificateFactory instance is subsequently used to generate an X509Certificate object via the generateCertificate() method.
Next, let’s get the CN from the X509Certificate object:
@Test
void whenUsingBouncyCastle_thenExtractCommonName() {
X500Principal principal = certificate.getSubjectX500Principal();
X500Name x500Name = new X500Name(principal.getName());
RDN[] rdns = x500Name.getRDNs(BCStyle.CN);
List<String> names = new ArrayList<>();
for (RDN rdn : rdns) {
String name = IETFUtils.valueToString(rdn.getFirst().getValue());
names.add(name);
}
for (String commonName : names) {
assertEquals("Baeldung", commonName);
}
}
In this code, we retrieve the subject DN in X500Principal format using the getSubjectX500Principal() method. Then, we convert that DN into BouncyCastle’s X500Name representation. After that, we extract the CNs from the X500Name object via the getRDNs() method.
An RDN is a BouncyCastle class that represents a single part of the X.500Name object. An X.500Name object is composed of several RDNs, each of which consists of an attribute type and an attribute value. Finally, we use the BCStyle.CN, which is a BouncyCastle constant for the CN attribute type.
4. Using Regular Expressions
Regular expressions (regex) are a powerful tool for string manipulation in Java. We can use it to extract the CN from a certificate.
Let’s create a test case to extract the CN:
@Test
void whenUsingRegex_thenExtractCommonName() {
X500Principal principal = certificate.getSubjectX500Principal();
List<String> names = new ArrayList<>();
Pattern pattern = Pattern.compile("CN=([^,]+)");
Matcher matcher = pattern.matcher(principal.getName());
while (matcher.find()) {
names.add(matcher.group(1));
}
for (String commonName : names) {
assertEquals("Baeldung", commonName);
}
}
In the above code, we use the Pattern and Matcher classes. We first create a Pattern object by calling its static compile() method and passing it the “CN=([^,]+)” pattern. Then, we create a Matcher object by calling the Pattern object’s matcher() method and passing it the DN value. Finally, we call the find() method in the Matcher object.
5. Using the Cryptacular Library
Another way of getting the CN value from the certificate is by using the Cryptacular library.
5.1. Maven Dependency
Let’s declare the cryptacular dependency in our pom.xml:
<dependency>
<groupId>org.cryptacular</groupId>
<artifactId>cryptacular</artifactId>
<version>1.2.6</version>
</dependency>
Let’s create a test case in which we extract the CN using the CertUtil class:
@Test
void whenUsingCryptacular_thenExtractCommonName() {
String commonName = CertUtil.subjectCN(certificate);
assertEquals("Baeldung", commonName);
}
We use the subjectCN() method to extract the CN from the X509Certificate object.
Also, we should note that when a certificate has multiple CNs, this library only returns one CN.
6. Using the LDAP API
We can also use the standard LDAP API from the JDK to achieve the same goal:
@Test
void whenUsingLDAPAPI_thenExtractCommonName() throws Exception {
X500Principal principal = certificate.getSubjectX500Principal();
LdapName ldapDN = new LdapName(principal.getName());
List<String> names = new ArrayList<>();
for (Rdn rdn : ldapDN.getRdns()) {
if (rdn.getType().equalsIgnoreCase("cn")) {
String name = rdn.getValue().toString();
names.add(name);
}
}
for (String commonName : names) {
assertEquals("Baeldung", commonName);
}
}
The above code deals with parsing a DN from an X.509 certificate in the context of LDAP. We construct the LdapName object from the string representation of the DN. It’s a way of converting a DN from the context of X.509 certificates into the context of LDAP.
Once we have an instance of LdapName, we can easily dissect the DN into its individual components (like CN, OU, O, etc.) using the getRdns() method.
7. Conclusion
The CN is a very important part of certificates. In the context of SSL/TLS certificates, the CN is used to indicate the domain name associated with the certificate.
In this article, we learned how to extract the CN value of a certificate file using several approaches.
As always, code samples can be found over on GitHub.
