How to check if X509Certificate is CA certificate?

Jurica Krizanic picture Jurica Krizanic · Aug 23, 2012 · Viewed 12.5k times · Source

I have a X509Certificate instance in Java and I need to identify if it is a CA certificate or user certificate.

Can anyone provide any help?

Thanks in advance!

Answer

Jurica Krizanic picture Jurica Krizanic · Aug 27, 2012

According to research I have performed, it can be checked by checking basic constraints! Check the API for returning results of getBasicConstraints() method.

So if the method returns result != -1, a certificate can be considered as a CA certificate.

I have checked this with several CA certificates (root and intermediate), and it works as described. I have also checked this method with several user certificates, and the method returns -1 as result.