### Complete Example: CSR and Self-Signed Certificate Generation in Java Source: https://github.com/aws-samples/aws-kms-jce/blob/master/README.md Provides a comprehensive example of generating a CSR and a self-signed certificate within a Java application. It demonstrates initializing the KMS client, adding the KMS provider, obtaining a KeyPair, defining CSR information, and then generating both the CSR and the certificate. ```java public class Example { public static void main(String[] args) { KmsClient kmsClient = KmsClient.builder().build(); Security.addProvider(new KmsProvider(kmsClient)); KeyPair keyPair = KmsRSAKeyFactory.getKeyPair(kmsClient, KeyIds.SIGN_RSA); KmsSigningAlgorithm kmsSigningAlgorithm = KmsSigningAlgorithm.RSASSA_PKCS1_V1_5_SHA_256; CsrInfo csrInfo = CsrInfo.builder() .cn("kms.aws.amazon.com") .ou("AWS") .o("Amazon") .l("Sao Paulo") .st("Sao Paulo") .c("BR") .mail("kms@amazon.com") .build(); System.out.println("CSR Info: " + csrInfo.toString()); System.out.println(); String csr = CsrGenerator.generate(keyPair, csrInfo, kmsSigningAlgorithm); System.out.println("CSR:"); System.out.println(csr); String crt = SelfSignedCrtGenerator.generate(keyPair, csr, kmsSigningAlgorithm, 365); System.out.println("CRT:"); System.out.println(crt); } } ``` -------------------------------- ### Get Key References using KeyStore Source: https://github.com/aws-samples/aws-kms-jce/blob/master/README.md Illustrates how to access key references through the KMS KeyStore. This involves obtaining a KeyStore instance of type "KMS", loading it, and then using methods like aliases(), containsAlias(), size(), and getKey(). ```java KeyStore keyStore = KeyStore.getInstance("KMS"); keyStore.load(null, null); // Example usage keyStore.aliases(); keyStore.containsAlias(...); keyStore.size(); keyStore.getKey(...); ``` -------------------------------- ### Get Key References using KeyFactory Source: https://github.com/aws-samples/aws-kms-jce/blob/master/README.md Shows how to obtain key references (KeyPair, PrivateKey, PublicKey) for RSA and EC keys using the KmsRSAKeyFactory and KmsECKeyFactory. This method requires the key ID and is generally preferred for performance. ```java // For EC Keys KmsECKeyFactory.getKeyPair(...); KmsECKeyFactory.getPrivateKey(...); KmsECKeyFactory.getPublicKey(...); // For RSA Keys KmsRSAKeyFactory.getKeyPair(...); KmsRSAKeyFactory.getPrivateKey(...); KmsRSAKeyFactory.getPublicKey(...); ``` -------------------------------- ### Signing and Verifying Messages with AWS KMS JCE Source: https://github.com/aws-samples/aws-kms-jce/blob/master/README.md Provides an example of signing and verifying messages using the AWS KMS JCE Provider. It involves obtaining a Signature instance based on the KmsSigningAlgorithm enum and then using initSign/update/sign for signing, and initVerify/update/verify for verification. ```java KmsSigningAlgorithm kmsSigningAlgorithm = KmsSigningAlgorithm.; // Replace with desired algorithm Signature kmsSignature = Signature.getInstance(kmsSigningAlgorithm.getAlgorithm()); // Signing... kmsSignature.initSign(privateKey); kmsSignature.update(message.getBytes()); byte[] signatureBytes = kmsSignature.sign(); // Verifying... kmsSignature.initVerify(publicKey); kmsSignature.update(message.getBytes()); boolean valid = kmsSignature.verify(signatureBytes); ``` -------------------------------- ### Sign Data using JCA Signature API with KMS Keys Source: https://context7.com/aws-samples/aws-kms-jce/llms.txt This example demonstrates how to sign data using the standard Java JCA Signature API, with the actual signing operation delegated to AWS KMS. It involves setting up the KMS client and provider, retrieving a KMS key pair, selecting a signing algorithm, and then using the `Signature` class to sign the data. The resulting signature is Base64 encoded. ```java import software.amazon.awssdk.services.kms.KmsClient; import software.amazon.awssdk.services.kms.jce.provider.KmsProvider; import software.amazon.awssdk.services.kms.jce.provider.rsa.KmsRSAKeyFactory; import software.amazon.awssdk.services.kms.jce.provider.signature.KmsSigningAlgorithm; import java.security.Security; import java.security.Signature; import java.security.KeyPair; import java.util.Base64; // Setup KmsClient kmsClient = KmsClient.builder().build(); Security.addProvider(new KmsProvider(kmsClient)); String keyId = "arn:aws:kms:us-east-1:123456789012:key/signing-key-id"; // Get key pair KeyPair keyPair = KmsRSAKeyFactory.getKeyPair(kmsClient, keyId); // Select signing algorithm KmsSigningAlgorithm algorithm = KmsSigningAlgorithm.RSASSA_PKCS1_V1_5_SHA_256; // Create signature instance using JCA API Signature signature = Signature.getInstance(algorithm.getAlgorithm()); // Sign data String message = "Data to be signed"; signature.initSign(keyPair.getPrivate()); signature.update(message.getBytes()); byte[] signatureBytes = signature.sign(); System.out.println("Signature: " + Base64.getEncoder().encodeToString(signatureBytes)); // Output: Signature: MGYCMQDk... (Base64 encoded signature) ``` -------------------------------- ### Generate CSR and Self-Signed Certificate with AWS KMS JCE Provider (Java) Source: https://context7.com/aws-samples/aws-kms-jce/llms.txt This example demonstrates the full workflow of initializing the AWS KMS JCE Provider, retrieving an RSA key pair from AWS KMS, generating a Certificate Signing Request (CSR), and creating a self-signed certificate. It requires the AWS SDK for Java v2 and the KMS JCE Provider library. ```java import software.amazon.awssdk.services.kms.KmsClient; import software.amazon.awssdk.services.kms.jce.provider.KmsProvider; import software.amazon.awssdk.services.kms.jce.provider.rsa.KmsRSAKeyFactory; import software.amazon.awssdk.services.kms.jce.provider.signature.KmsSigningAlgorithm; import software.amazon.awssdk.services.kms.jce.util.crt.SelfSignedCrtGenerator; import software.amazon.awssdk.services.kms.jce.util.csr.CsrGenerator; import software.amazon.awssdk.services.kms.jce.util.csr.CsrInfo; import java.security.KeyPair; import java.security.Security; public class KmsJceExample { public static void main(String[] args) { // Initialize KMS client and provider KmsClient kmsClient = KmsClient.builder().build(); Security.addProvider(new KmsProvider(kmsClient)); // Get RSA key pair from KMS (with real public key for CSR generation) String rsaKeyId = "arn:aws:kms:us-east-1:123456789012:key/my-rsa-signing-key"; KeyPair keyPair = KmsRSAKeyFactory.getKeyPair(kmsClient, rsaKeyId); KmsSigningAlgorithm algorithm = KmsSigningAlgorithm.RSASSA_PKCS1_V1_5_SHA_256; // Build certificate subject information CsrInfo csrInfo = CsrInfo.builder() .cn("kms.aws.amazon.com") .ou("AWS") .o("Amazon") .l("Sao Paulo") .st("Sao Paulo") .c("BR") .mail("kms@amazon.com") .build(); System.out.println("CSR Info: " + csrInfo.toString()); // Output: CSR Info: CN=kms.aws.amazon.com, OU=AWS, O=Amazon, L=Sao Paulo, ST=Sao Paulo, C=BR, emailAddress=kms@amazon.com // Generate Certificate Signing Request String csr = CsrGenerator.generate(keyPair, csrInfo, algorithm); System.out.println("\nCSR:"); System.out.println(csr); // Generate Self-Signed Certificate (365 day validity) String crt = SelfSignedCrtGenerator.generate(keyPair, csr, algorithm, 365); System.out.println("Certificate:"); System.out.println(crt); } } ``` -------------------------------- ### RSA Key Factory - Get Key Pair with Public Key Fetch in Java Source: https://context7.com/aws-samples/aws-kms-jce/llms.txt Retrieves RSA key references from AWS KMS using a key ID. The `getKeyPair(KmsClient, keyId)` method fetches the actual public key material, which is necessary for operations like Certificate Signing Request (CSR) generation. Alternatively, references without public key material can be obtained for signing-only operations. ```java import software.amazon.awssdk.services.kms.KmsClient; import software.amazon.awssdk.services.kms.jce.provider.rsa.KmsRSAKeyFactory; import java.security.KeyPair; import java.security.PrivateKey; import java.security.PublicKey; KmsClient kmsClient = KmsClient.builder().build(); String keyId = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"; // Get KeyPair with real public key fetched from KMS (required for CSR/cert generation) KeyPair keyPair = KmsRSAKeyFactory.getKeyPair(kmsClient, keyId); PrivateKey privateKey = keyPair.getPrivate(); // KmsRSAPrivateKey reference PublicKey publicKey = keyPair.getPublic(); // KmsRSAPublicKey with actual key material // Get KeyPair without fetching public key (better performance for signing only) KeyPair keyPairRef = KmsRSAKeyFactory.getKeyPair(keyId); // Get individual key references KmsRSAPrivateKey privateKeyRef = KmsRSAKeyFactory.getPrivateKey(keyId); KmsRSAPublicKey publicKeyRef = KmsRSAKeyFactory.getPublicKey(keyId); KmsRSAPublicKey publicKeyWithMaterial = KmsRSAKeyFactory.getPublicKey(kmsClient, keyId); ``` -------------------------------- ### EC Key Factory - Get Elliptic Curve Key Pair in Java Source: https://context7.com/aws-samples/aws-kms-jce/llms.txt Retrieves Elliptic Curve (EC) key references from AWS KMS. This factory supports ECC_NIST_P256, ECC_NIST_P384, and ECC_NIST_P521 key types. Similar to RSA, it allows fetching key pairs with public key material or just references for signing operations. ```java import software.amazon.awssdk.services.kms.KmsClient; import software.amazon.awssdk.services.kms.jce.provider.ec.KmsECKeyFactory; import java.security.KeyPair; KmsClient kmsClient = KmsClient.builder().build(); String ecKeyId = "arn:aws:kms:us-east-1:123456789012:key/ec-key-id-here"; // Get EC KeyPair with real public key fetched from KMS KeyPair ecKeyPair = KmsECKeyFactory.getKeyPair(kmsClient, ecKeyId); // Get EC KeyPair without fetching public key (reference only) KeyPair ecKeyPairRef = KmsECKeyFactory.getKeyPair(ecKeyId); // Get individual EC key references KmsECPrivateKey ecPrivateKey = KmsECKeyFactory.getPrivateKey(ecKeyId); KmsECPublicKey ecPublicKey = KmsECKeyFactory.getPublicKey(ecKeyId); KmsECPublicKey ecPublicKeyWithMaterial = KmsECKeyFactory.getPublicKey(kmsClient, ecKeyId); ``` -------------------------------- ### Initialize AWS KMS JCE Provider Source: https://github.com/aws-samples/aws-kms-jce/blob/master/README.md Demonstrates how to initialize the AWS KMS JCE Provider by creating a KMS client and then instantiating the provider with the client. Customization of the KMS client is recommended. ```java KmsClient kmsClient = KmsClient.builder().build(); KmsProvider kmsProvider = new KmsProvider(kmsClient); // Register the provider Security.addProvider(kmsProvider); ``` -------------------------------- ### Build CSR Subject Information using CsrInfo Builder Source: https://context7.com/aws-samples/aws-kms-jce/llms.txt Constructs the subject information for Certificate Signing Requests (CSRs) using the `CsrInfo` builder class. This utility helps format X.500 Distinguished Names required for certificate generation. ```java import software.amazon.awssdk.services.kms.jce.util.csr.CsrInfo; // Build CSR subject information CsrInfo csrInfo = CsrInfo.builder() .cn("example.com") // Common Name (required) .ou("Engineering") // Organizational Unit .o("Example Corp") // Organization .l("San Francisco") // Locality (City) .st("California") // State/Province .c("US") // Country (2-letter code) .mail("admin@example.com") // Email address .build(); // CsrInfo generates X.500 Distinguished Name format System.out.println(csrInfo.toString()); // Output: CN=example.com, OU=Engineering, O=Example Corp, L=San Francisco, ST=California, C=US, emailAddress=admin@example.com ``` -------------------------------- ### Define CSR Information with CsrInfo Source: https://github.com/aws-samples/aws-kms-jce/blob/master/README.md Defines the information required for a Certificate Signing Request (CSR) using the CsrInfo class. This includes details like Common Name (CN), Organization (O), and Country (C). No external dependencies are explicitly mentioned for this builder pattern. ```java CsrInfo csrInfo = CsrInfo.builder() .cn("...") //Common Name .ou("...") //Department Name / Organizational Unit .o("...") //Business name / Organization .l("...") //Town / City .st("...") //Province, Region, County or State .c("...") //Country .mail("...") //Email address .build(); ``` -------------------------------- ### Access KMS Keys by Alias using JCA KeyStore Source: https://context7.com/aws-samples/aws-kms-jce/llms.txt This snippet shows how to use the JCA KeyStore interface to access AWS KMS keys by their alias names. It demonstrates retrieving the KMS KeyStore instance, listing aliases, checking for alias existence, and retrieving a signing key. The KMS provider must be registered for this to work. ```java import java.security.KeyStore; import java.security.Key; import java.util.Enumeration; // Get KMS KeyStore instance (requires provider to be registered) KeyStore keyStore = KeyStore.getInstance("KMS"); keyStore.load(null, null); // No password required for KMS // List all available key aliases Enumeration aliases = keyStore.aliases(); while (aliases.hasMoreElements()) { String alias = aliases.nextElement(); System.out.println("Found alias: " + alias); } // Check if an alias exists boolean exists = keyStore.containsAlias("alias/my-signing-key"); // Or without prefix: boolean existsAlt = keyStore.containsAlias("my-signing-key"); // Get key count int keyCount = keyStore.size(); // Retrieve a key by alias (returns RSA or EC private key based on key type) Key signingKey = keyStore.getKey("alias/my-signing-key", null); // Password parameter is ignored - KMS handles authentication ``` -------------------------------- ### Initialize AWS KMS JCE Provider in Java Source: https://context7.com/aws-samples/aws-kms-jce/llms.txt Registers the AWS KMS JCE Provider with the Java Security framework. This requires an initialized KmsClient instance to communicate with AWS KMS. Once registered, KMS-backed cryptographic operations can be performed using standard JCA APIs. ```java import software.amazon.awssdk.services.kms.KmsClient; import software.amazon.awssdk.services.kms.jce.provider.KmsProvider; import java.security.Security; import software.amazon.awssdk.regions.Region; // Create KMS client (uses default credential chain) KmsClient kmsClient = KmsClient.builder() .region(Region.US_EAST_1) .build(); // Create and register the KMS provider KmsProvider kmsProvider = new KmsProvider(kmsClient); Security.addProvider(kmsProvider); // Provider is now available for use with standard JCA APIs // Registered services: KeyStore type "KMS", all KMS signing algorithms ``` -------------------------------- ### Sign and Verify Data with KMS ECDSA Keys using JCA Source: https://context7.com/aws-samples/aws-kms-jce/llms.txt Demonstrates signing and verifying data using Elliptic Curve keys with ECDSA algorithms via the JCA Signature API and the KMS JCE provider. This method is suitable for ECC keys managed by AWS KMS. ```java import software.amazon.awssdk.services.kms.KmsClient; import software.amazon.awssdk.services.kms.jce.provider.KmsProvider; import software.amazon.awssdk.services.kms.jce.provider.ec.KmsECKeyFactory; import software.amazon.awssdk.services.kms.jce.provider.signature.KmsSigningAlgorithm; import java.security.Security; import java.security.Signature; import java.security.KeyPair; KmsClient kmsClient = KmsClient.builder().build(); Security.addProvider(new KmsProvider(kmsClient)); // Use an ECC key (ECC_NIST_P256, ECC_NIST_P384, or ECC_NIST_P521) String ecKeyId = "arn:aws:kms:us-east-1:123456789012:key/ec-signing-key"; KeyPair ecKeyPair = KmsECKeyFactory.getKeyPair(kmsClient, ecKeyId); // Use appropriate ECDSA algorithm for key size // P-256 -> ECDSA_SHA_256, P-384 -> ECDSA_SHA_384, P-521 -> ECDSA_SHA_512 KmsSigningAlgorithm ecAlgorithm = KmsSigningAlgorithm.ECDSA_SHA_256; // Sign String data = "Important document content"; Signature ecSigner = Signature.getInstance(ecAlgorithm.getAlgorithm()); ecSigner.initSign(ecKeyPair.getPrivate()); ecSigner.update(data.getBytes()); byte[] ecSignature = ecSigner.sign(); // Verify Signature ecVerifier = Signature.getInstance(ecAlgorithm.getAlgorithm()); ecVerifier.initVerify(ecKeyPair.getPublic()); ecVerifier.update(data.getBytes()); boolean ecValid = ecVerifier.verify(ecSignature); System.out.println("EC Signature valid: " + ecValid); // Output: EC Signature valid: true ``` -------------------------------- ### Generate Self-Signed Certificate with SelfSignedCrtGenerator Source: https://github.com/aws-samples/aws-kms-jce/blob/master/README.md Creates a self-signed certificate using the generated CSR, KeyPair, KMS signing algorithm, and a specified validity period in days. This is useful for testing or internal use cases where a trusted third-party Certificate Authority is not required. ```java int validity = 365; //In days String crt = SelfSignedCrtGenerator.generate(keyPair, csr, kmsSigningAlgorithm, validity); ``` -------------------------------- ### Map KMS Signing Algorithms to JCA Names Source: https://context7.com/aws-samples/aws-kms-jce/llms.txt This snippet illustrates the `KmsSigningAlgorithm` enum, which maps AWS KMS signing algorithms to their corresponding Java JCA algorithm names. It shows how to access various signing algorithms and retrieve their properties like the JCA algorithm name, digest algorithm, and signing algorithm specification. ```java import software.amazon.awssdk.services.kms.jce.provider.signature.KmsSigningAlgorithm; // Available signing algorithms: // RSA-PSS algorithms KmsSigningAlgorithm.RSASSA_PSS_SHA_256 // "RSASSA-PSS/SHA256" KmsSigningAlgorithm.RSASSA_PSS_SHA_384 // "RSASSA-PSS/SHA384" KmsSigningAlgorithm.RSASSA_PSS_SHA_512 // "RSASSA-PSS/SHA512" // RSA PKCS#1 v1.5 algorithms KmsSigningAlgorithm.RSASSA_PKCS1_V1_5_SHA_256 // "SHA256withRSA" KmsSigningAlgorithm.RSASSA_PKCS1_V1_5_SHA_384 // "SHA384withRSA" KmsSigningAlgorithm.RSASSA_PKCS1_V1_5_SHA_512 // "SHA512withRSA" // ECDSA algorithms KmsSigningAlgorithm.ECDSA_SHA_256 // "SHA256withECDSA" KmsSigningAlgorithm.ECDSA_SHA_384 // "SHA384withECDSA" KmsSigningAlgorithm.ECDSA_SHA_512 // "SHA512withECDSA" // Access algorithm properties KmsSigningAlgorithm alg = KmsSigningAlgorithm.RSASSA_PKCS1_V1_5_SHA_256; String javaAlgorithm = alg.getAlgorithm(); // "SHA256withRSA" String digestAlgorithm = alg.getDigestAlgorithm(); // "SHA-256" SigningAlgorithmSpec spec = alg.getSigningAlgorithmSpec(); // KMS SDK enum ``` -------------------------------- ### Verify Signatures with KMS RSA Keys using JCA Source: https://context7.com/aws-samples/aws-kms-jce/llms.txt Verifies digital signatures using the standard Java Cryptography Architecture (JCA) Signature API, with the actual verification performed by AWS KMS. This requires the KMS JCE provider to be registered and an RSA KMS key. ```java import software.amazon.awssdk.services.kms.KmsClient; import software.amazon.awssdk.services.kms.jce.provider.KmsProvider; import software.amazon.awssdk.services.kms.jce.provider.rsa.KmsRSAKeyFactory; import software.amazon.awssdk.services.kms.jce.provider.signature.KmsSigningAlgorithm; import java.security.Security; import java.security.Signature; import java.security.KeyPair; // Setup (assumes provider already registered) KmsClient kmsClient = KmsClient.builder().build(); Security.addProvider(new KmsProvider(kmsClient)); String keyId = "your-kms-key-id"; KeyPair keyPair = KmsRSAKeyFactory.getKeyPair(kmsClient, keyId); KmsSigningAlgorithm algorithm = KmsSigningAlgorithm.RSASSA_PKCS1_V1_5_SHA_256; // Original message and signature (from signing operation) String message = "Data to be signed"; byte[] signatureBytes = // ... signature from signing operation // Verify signature Signature verifier = Signature.getInstance(algorithm.getAlgorithm()); verifier.initVerify(keyPair.getPublic()); verifier.update(message.getBytes()); boolean isValid = verifier.verify(signatureBytes); System.out.println("Signature valid: " + isValid); // Output: Signature valid: true ``` -------------------------------- ### Generate CSR using CsrGenerator Source: https://github.com/aws-samples/aws-kms-jce/blob/master/README.md Generates a Certificate Signing Request (CSR) from a given KeyPair, CsrInfo object, and KMS signing algorithm. This function is crucial for creating certificate requests that can be signed by a Certificate Authority or used for self-signing. ```java String csr = CsrGenerator.generate(keyPair, csrInfo, kmsSigningAlgorithm); ``` -------------------------------- ### Generate Certificate Signing Request (CSR) using AWS KMS JCE Source: https://context7.com/aws-samples/aws-kms-jce/llms.txt Generates a PKCS#10 Certificate Signing Request (CSR) signed by an AWS KMS private key. This requires the AWS SDK for Java and the KMS JCE provider. The input is a KMS key ID and CSR information, and the output is a PEM-encoded CSR string. ```java import software.amazon.awssdk.services.kms.KmsClient; import software.amazon.awssdk.services.kms.jce.provider.KmsProvider; import software.amazon.awssdk.services.kms.jce.provider.rsa.KmsRSAKeyFactory; import software.amazon.awssdk.services.kms.jce.provider.signature.KmsSigningAlgorithm; import software.amazon.awssdk.services.kms.jce.util.csr.CsrGenerator; import software.amazon.awssdk.services.kms.jce.util.csr.CsrInfo; import java.security.KeyPair; import java.security.Security; // Setup KmsClient kmsClient = KmsClient.builder().build(); Security.addProvider(new KmsProvider(kmsClient)); String keyId = "arn:aws:kms:us-east-1:123456789012:key/your-key-id"; KeyPair keyPair = KmsRSAKeyFactory.getKeyPair(kmsClient, keyId); KmsSigningAlgorithm algorithm = KmsSigningAlgorithm.RSASSA_PKCS1_V1_5_SHA_256; // Build CSR info CsrInfo csrInfo = CsrInfo.builder() .cn("api.example.com") .ou("API Services") .o("Example Corp") .l("Seattle") .st("Washington") .c("US") .mail("security@example.com") .build(); // Generate CSR (PEM encoded) String csr = CsrGenerator.generate(keyPair, csrInfo, algorithm); System.out.println(csr); // Output: // -----BEGIN CERTIFICATE REQUEST----- // MIICzDCCAbQCAQAwgYYxFTATBgNVBAMMDGFwaS5leGFtcGxl... // -----END CERTIFICATE REQUEST----- ``` -------------------------------- ### Generate Self-Signed Certificate using AWS KMS JCE Source: https://context7.com/aws-samples/aws-kms-jce/llms.txt Creates a self-signed X.509 certificate from a Certificate Signing Request (CSR) using an AWS KMS key for signing. This is useful for internal testing or establishing a private Certificate Authority. It depends on the AWS SDK for Java and the KMS JCE provider, taking a KMS key ID and CSR details as input to produce a PEM-encoded certificate. ```java import software.amazon.awssdk.services.kms.KmsClient; import software.amazon.awssdk.services.kms.jce.provider.KmsProvider; import software.amazon.awssdk.services.kms.jce.provider.rsa.KmsRSAKeyFactory; import software.amazon.awssdk.services.kms.jce.provider.signature.KmsSigningAlgorithm; import software.amazon.awssdk.services.kms.jce.util.crt.SelfSignedCrtGenerator; import software.amazon.awssdk.services.kms.jce.util.csr.CsrGenerator; import software.amazon.awssdk.services.kms.jce.util.csr.CsrInfo; import java.security.KeyPair; import java.security.Security; // Setup KmsClient kmsClient = KmsClient.builder().build(); Security.addProvider(new KmsProvider(kmsClient)); String keyId = "your-kms-key-id"; KeyPair keyPair = KmsRSAKeyFactory.getKeyPair(kmsClient, keyId); KmsSigningAlgorithm algorithm = KmsSigningAlgorithm.RSASSA_PKCS1_V1_5_SHA_256; // Create CSR info CsrInfo csrInfo = CsrInfo.builder() .cn("internal-service.example.com") .ou("Internal Services") .o("Example Corp") .c("US") .build(); // Generate CSR first String csr = CsrGenerator.generate(keyPair, csrInfo, algorithm); // Generate self-signed certificate with 365-day validity int validityDays = 365; String certificate = SelfSignedCrtGenerator.generate(keyPair, csr, algorithm, validityDays); System.out.println(certificate); // Output: // -----BEGIN CERTIFICATE----- // MIIDXTCCAkWgAwIBAgIBATANBgkqhkiG9w0BAQsFADBFMScw... // -----END CERTIFICATE----- ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.