The encoding is definitely not correct. The first argument needs to be the DER-encoding of the issuer name from the certificate. The type of the issuerName field is not a PrintableString. It is a "Name", which is a sequence of RelativeDistinguishedNames, each of which is a set of AttributeTypeAndValue. This is all defined in RFC 3280.
However you don't have to worry about all these details, because you already have the completely formed issuer name in the original certificate. You just need to extract it cleanly. If you are using JDK 1.4, you can just call getIssuerX500Principal() on the certificate. The Java class X500Principal represents the ASN.1 type "Name", so if you just call X500Principal.getEncoded() you will get the DER-encoding of the issuer name. If you are using a previous version of JDK, I don't think you can get the DER-encoding of the issuer name directly from X509Certificate. You can use the package org.mozilla.jss.pkix.cert to pick apart the certificate. That code would look something like this: import org.mozilla.jss.pkix.cert.Certificate; import org.mozilla.jss.asn1.ASN1Util; import org.mozilla.jss.pkix.primitive.Name; byte[] derCert = allCerts[0].getEncoded(); Certificate cert = ASN1Util.decode(Certificate.getTemplate(), derCert); Name issuerName = cert.getIssuer(); byte[] derIssuer = ASN1Util.encode(issuerName); Now let's look at the serial number. The javadoc for findCertByIssuerAndSerialNumber states that the serialNumber argument is "the contents octets of a DER-encoding of the certificate serial number." It turns out that this is exactly what you get if you call BigInteger.toByteArray(). So you can just do this: byte[] derSerial = allCerts[0].getSerialNumber().toByteArray(); Hopefully this will help. Beware of errors in the above code, I have not tested it. -jamie
