Builder

Adds a subject alternative name (SAN) to the certificate. This is usually a literal hostname, a literal IP address, or a hostname pattern. If no subject alternative names are added that extension will be omitted.

Set this certificate to be a signing certificate, with up to maxIntermediateCas intermediate signing certificates beneath it.

Set this certificate's common name (CN). Historically this held the hostname of TLS certificate, but that practice was deprecated by RFC 2818 and replaced with addSubjectAlternativeName. If unset a random string will be used.

Sets the certificate to be valid immediately and until the specified duration has elapsed. The precision of this field is seconds; further precision will be truncated.

Configure the certificate to generate a 256-bit ECDSA key, which provides about 128 bits of security. ECDSA keys are noticeably faster than RSA keys.

Sets the public/private key pair used for this certificate. If unset a key pair will be generated.

Sets the certificate's organizational unit (OU). If unset this field will be omitted.

Configure the certificate to generate a 2048-bit RSA key, which provides about 112 bits of security. RSA keys are interoperable with very old clients that don't support ECDSA.

Sets this certificate's serial number. If unset the serial number will be 1.

Set the certificate that will issue this certificate. If unset the certificate will be self-signed.

Sets the certificate to be valid in ``[notBefore..notAfter]``. Both endpoints are specified in the format of System.currentTimeMillis. Specify -1L for both values to use the default interval, 24 hours starting when the certificate is created.