diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 549c6a7a90..fdabf60ab0 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -7,7 +7,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        java: [11, 17]
+        java: [11, 17, 21]
     name: "Java ${{ matrix.java }} build"
     steps:
       - uses: actions/checkout@v4
diff --git a/Dockerfile b/Dockerfile
index 7309f994b4..f59e32e1d2 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -3,7 +3,7 @@ FROM --platform=$BUILDPLATFORM debian:bullseye-slim AS project-build
 # Install build dependencies
 RUN \
   apt-get update && \
-  apt-get install -y --no-install-recommends openjdk-17-jdk maven unzip chromium git && \
+  apt-get install -y --no-install-recommends openjdk-21-jdk maven unzip chromium git && \
   # Workaround Chromium binary path for arm64 (see https://github.com/puppeteer/puppeteer/blob/v4.0.0/src/Launcher.ts#L110)
   ln -s /usr/bin/chromium /usr/bin/chromium-browser
 
diff --git a/openam-authentication/openam-auth-cert/src/main/java/com/sun/identity/authentication/modules/cert/Cert.java b/openam-authentication/openam-auth-cert/src/main/java/com/sun/identity/authentication/modules/cert/Cert.java
index 3872c367ec..9300dd67b0 100644
--- a/openam-authentication/openam-auth-cert/src/main/java/com/sun/identity/authentication/modules/cert/Cert.java
+++ b/openam-authentication/openam-auth-cert/src/main/java/com/sun/identity/authentication/modules/cert/Cert.java
@@ -25,7 +25,7 @@
  * $Id: Cert.java,v 1.14 2009/03/13 20:54:42 beomsuk Exp $
  *
  * Portions Copyrighted 2013-2017 ForgeRock AS.
- * Portions Copyrighted 2022 Wren Security
+ * Portions Copyrighted 2022-2025 Wren Security
  */
 
 package com.sun.identity.authentication.modules.cert;
@@ -62,6 +62,7 @@
 import com.sun.identity.security.cert.AMCertPath;
 import com.sun.identity.security.cert.AMCertStore;
 import com.sun.identity.security.cert.AMLDAPCertStoreParameters;
+import com.sun.identity.security.cert.SunSecurityProviderCompat;
 import com.sun.identity.shared.datastruct.CollectionHelper;
 import com.sun.identity.shared.encode.Base64;
 
@@ -86,31 +87,31 @@ public class Cert extends AMLoginModule {
 
     // from profile server.
     // default: MUST HAVE where is the ldap server.
-    private String amAuthCert_serverHost;  
-    // default: values stored in auth.certificate.ldap.server.context; 
+    private String amAuthCert_serverHost;
+    // default: values stored in auth.certificate.ldap.server.context;
     // think ok to be nil.
-    private String amAuthCert_startSearchLoc;  
+    private String amAuthCert_startSearchLoc;
     // none, simple or CRAM-MD5 (default to NONE)
-    private String amAuthCert_securityType; 
+    private String amAuthCert_securityType;
     // ldap user name [if missing default to amAuthCert_securityType to none.]
-    private String amAuthCert_principleUser;  
-    // ldap user's passwd  
+    private String amAuthCert_principleUser;
+    // ldap user's passwd
     // [if missing default to amAuthCert_securityType to none.]
-    private String amAuthCert_principlePasswd;  
+    private String amAuthCert_principlePasswd;
     // use ssl to talk to ldap. default is false.
-    private String amAuthCert_useSSL;        
+    private String amAuthCert_useSSL;
     // Field in Cert to user to access user profile.  default to DN
-    private String amAuthCert_userProfileMapper;    
-    // Alternate Field in Cert to userid to access user profile 
+    private String amAuthCert_userProfileMapper;
+    // Alternate Field in Cert to userid to access user profile
     // if above is "other"
     private String amAuthCert_altUserProfileMapper;
-    // SubjectAltNameExtension Value Type OID 
+    // SubjectAltNameExtension Value Type OID
     // This OID type of value is retrieved and used to access user profile
     private String amAuthCert_subjectAltExtMapper;
     // check user cert against revoke list in LDAP.
-    private String amAuthCert_chkCRL;        
+    private String amAuthCert_chkCRL;
     // check CA cert against revoke list in LDAP.
-    private String amAuthCert_validateCA;        
+    private String amAuthCert_validateCA;
     // attr to use in search for user cert in CRL in LDAP
     private String amAuthCert_chkAttrCRL = null;
     // attributes to use in searchfilter to find crlDistributionPoint entry in LDAP
@@ -119,11 +120,11 @@ public class Cert extends AMLoginModule {
     // params to use in accessing CRL DP
     private String amAuthCert_uriParamsCRL = null;
     // check user cert with cert in LDAP.
-    private String amAuthCert_chkCertInLDAP; 
+    private String amAuthCert_chkCertInLDAP;
     // attr to use in search for user cert in LDAP
     private String amAuthCert_chkAttrCertInLDAP = null;
     // this is what appears in the user selectable choice field.
-    private String amAuthCert_emailAddrTag; 
+    private String amAuthCert_emailAddrTag;
     private int amAuthCert_serverPort =389;
     private boolean portal_gw_cert_auth_enabled = false;
     private boolean portal_gw_cert_preferred = false;
@@ -141,18 +142,18 @@ public class Cert extends AMLoginModule {
     static final int ldap_version = 3;
 
     private static final String amAuthCert = "amAuthCert";
-    
+
     private static com.sun.identity.shared.debug.Debug debug = null;
 
     static String UPNOID = "1.3.6.1.4.1.311.20.2.3";
 
     private String amAuthCert_cacheCRL;
     private boolean doCRLCaching = true;
-    
+
     //attribute and flag to check whether CRLs should be updated from CRL distribution point
     private String amAuthCert_updateCRL;
     private boolean doCRLUpdate = true;
-    
+
 
     /**
      * Default module constructor does nothing
@@ -161,11 +162,12 @@ public Cert() {
     }
 
     /**
-     * Initialize module 
+     * Initialize module
      * @param subject for auth
      * @param sharedState with auth framework
      * @param options for auth
      */
+    @Override
     public void init(Subject subject, Map sharedState, Map options) {
         if (debug == null) {
             debug = com.sun.identity.shared.debug.Debug.getInstance(amAuthCert);
@@ -179,11 +181,11 @@ public void init(Subject subject, Map sharedState, Map options) {
             debug.message("Cert Auth resbundle locale="+locale);
             debug.message("Cert auth init() done");
         }
-    } 
+    }
 
     private void initAuthConfig() throws AuthLoginException {
         if (options != null) {
-            debug.message("Certificate: getting attributes."); 
+            debug.message("Certificate: getting attributes.");
             // init auth level
             String authLevel = CollectionHelper.getMapAttr(
                 options, "iplanet-am-auth-cert-auth-level");
@@ -195,7 +197,7 @@ private void initAuthConfig() throws AuthLoginException {
                     // invalid auth level
                     debug.error("Invalid auth level " + authLevel, e);
                 }
-            } 
+            }
             // will need access control to ldap server; passwd and user name
             // will also need to yank out the user profile based on cn or dn
             //  out of "profile server"
@@ -208,17 +210,17 @@ private void initAuthConfig() throws AuthLoginException {
             amAuthCert_useSSL = CollectionHelper.getMapAttr(
                 options, "iplanet-am-auth-cert-use-ssl");
             amAuthCert_userProfileMapper = CollectionHelper.getMapAttr(
-                options, "iplanet-am-auth-cert-user-profile-mapper"); 
+                options, "iplanet-am-auth-cert-user-profile-mapper");
             amAuthCert_altUserProfileMapper = CollectionHelper.getMapAttr(
                 options, "iplanet-am-auth-cert-user-profile-mapper-other");
             amAuthCert_subjectAltExtMapper = CollectionHelper.getMapAttr(
                 options, "iplanet-am-auth-cert-user-profile-mapper-ext");
             amAuthCert_chkCRL = CollectionHelper.getMapAttr(
-                options, "iplanet-am-auth-cert-check-crl"); 
+                options, "iplanet-am-auth-cert-check-crl");
             if (amAuthCert_chkCRL.equalsIgnoreCase("true")) {
                 amAuthCert_chkAttrCRL = CollectionHelper.getMapAttr(
                     options, "iplanet-am-auth-cert-attr-check-crl");
-                if (amAuthCert_chkAttrCRL == null || 
+                if (amAuthCert_chkAttrCRL == null ||
                     amAuthCert_chkAttrCRL.equals("")) {
                     throw new AuthLoginException(amAuthCert, "noCRLAttr", null);
                 } else {
@@ -233,17 +235,17 @@ private void initAuthConfig() throws AuthLoginException {
                         options, "openam-am-auth-cert-update-crl", "true");
                 if (amAuthCert_updateCRL.equalsIgnoreCase("false")) {
                     doCRLUpdate = false;
-                }               
-                
+                }
+
                 crlEnabled = true;
             }
             amAuthCert_validateCA = CollectionHelper.getMapAttr(
-                options, "sunAMValidateCACert"); 
+                options, "sunAMValidateCACert");
 
             amAuthCert_uriParamsCRL = CollectionHelper.getMapAttr(
                 options, "iplanet-am-auth-cert-param-get-crl");
             amAuthCert_chkCertInLDAP = CollectionHelper.getMapAttr(
-                options, "iplanet-am-auth-cert-check-cert-in-ldap"); 
+                options, "iplanet-am-auth-cert-check-cert-in-ldap");
             if (amAuthCert_chkCertInLDAP.equalsIgnoreCase("true")) {
                 amAuthCert_chkAttrCertInLDAP = CollectionHelper.getMapAttr(
                     options, "iplanet-am-auth-cert-attr-check-ldap");
@@ -254,7 +256,7 @@ private void initAuthConfig() throws AuthLoginException {
                 }
             }
             String ocspChk = CollectionHelper.getMapAttr(
-                options, "iplanet-am-auth-cert-check-ocsp"); 
+                options, "iplanet-am-auth-cert-check-ocsp");
             ocspEnabled = (ocspChk != null && ocspChk.equalsIgnoreCase("true"));
 
              //
@@ -271,7 +273,7 @@ private void initAuthConfig() throws AuthLoginException {
 
             String client = getLoginState("process").getClient();
             portal_gw_cert_auth_enabled = false;
-            if (gwCertAuth == null || gwCertAuth.equals("") 
+            if (gwCertAuth == null || gwCertAuth.equals("")
                                 || gwCertAuth.equalsIgnoreCase("none")) {
                 if (debug.messageEnabled()) {
                     debug.message("iplanet-am-auth-cert-gw-cert-auth-enabled = "
@@ -280,7 +282,7 @@ private void initAuthConfig() throws AuthLoginException {
             } else if (gwCertAuth.equalsIgnoreCase("any")) {
                 portal_gw_cert_auth_enabled = true;
             } else {
-                portalGateways = 
+                portalGateways =
                   (Set)options.get("iplanet-am-auth-cert-gw-cert-auth-enabled");
                 if ((client !=null) && (portalGateways.contains(client))) {
                     portal_gw_cert_auth_enabled = true;
@@ -305,11 +307,11 @@ private void initAuthConfig() throws AuthLoginException {
 
             amAuthCert_serverHost = CollectionHelper.getServerMapAttr(
                 options, "iplanet-am-auth-cert-ldap-provider-url");
-            if (amAuthCert_serverHost == null 
-                && (amAuthCert_chkCertInLDAP.equalsIgnoreCase("true") || 
+            if (amAuthCert_serverHost == null
+                && (amAuthCert_chkCertInLDAP.equalsIgnoreCase("true") ||
                     amAuthCert_chkCRL.equalsIgnoreCase("true"))) {
                 debug.error("Fatal error: LDAP Server and Port misconfigured");
-                throw new AuthLoginException(amAuthCert, 
+                throw new AuthLoginException(amAuthCert,
                                 "wrongLDAPServer", null);
             }
 
@@ -327,8 +329,8 @@ private void initAuthConfig() throws AuthLoginException {
 
             amAuthCert_startSearchLoc = CollectionHelper.getServerMapAttr(
                 options, "iplanet-am-auth-cert-start-search-loc");
-            if (amAuthCert_startSearchLoc == null 
-                && (amAuthCert_chkCertInLDAP.equalsIgnoreCase("true") || 
+            if (amAuthCert_startSearchLoc == null
+                && (amAuthCert_chkCertInLDAP.equalsIgnoreCase("true") ||
                     amAuthCert_chkCRL.equalsIgnoreCase("true"))) {
                 debug.error("Fatal error: LDAP Start Search " +
                                 "DN is not configured");
@@ -375,7 +377,7 @@ private void initAuthConfig() throws AuthLoginException {
             throw new AuthLoginException(amAuthCert, "CERTex", null);
         }
     }
-    
+
     /**
      * Process Certificate based auth request
      * @param callbacks for auth
@@ -383,22 +385,23 @@ private void initAuthConfig() throws AuthLoginException {
      * @return proper jaas state for auth framework
      * @throws AuthLoginException if auth fails
      */
-    public int process (Callback[] callbacks, int state) 
+    @Override
+    public int process (Callback[] callbacks, int state)
         throws AuthLoginException {
         initAuthConfig();
         X509Certificate[] allCerts = null;
         try {
             HttpServletRequest servletRequest = getHttpServletRequest();
-            if (servletRequest != null) { 
+            if (servletRequest != null) {
                 allCerts = (X509Certificate[]) servletRequest.
-                   getAttribute("javax.servlet.request.X509Certificate"); 
+                   getAttribute("javax.servlet.request.X509Certificate");
                 if (allCerts == null || allCerts.length == 0) {
                     debug.message(
                           "Certificate: checking for cert passed in the URL.");
                     if (!portal_gw_cert_auth_enabled) {
                         debug.error ("Certificate: cert passed " +
                                      "in URL not enabled for this client");
-                        throw new AuthLoginException(amAuthCert, 
+                        throw new AuthLoginException(amAuthCert,
                             "noURLCertAuth", null);
                     }
                     thecert = getPortalStyleCert(servletRequest);
@@ -429,7 +432,7 @@ public int process (Callback[] callbacks, int state)
             getTokenFromCert(thecert);
             storeUsernamePasswd(userTokenId, null);
             if(debug.messageEnabled()){
-                debug.message("in Certificate. userTokenId=" + 
+                debug.message("in Certificate. userTokenId=" +
                     userTokenId + " from getTokenFromCert");
             }
         } catch (AuthLoginException e) {
@@ -443,7 +446,7 @@ public int process (Callback[] callbacks, int state)
             debug.message("Got client cert =\n" + thecert.toString());
         }
 
-        if (amAuthCert_chkCertInLDAP.equalsIgnoreCase("false") && 
+        if (amAuthCert_chkCertInLDAP.equalsIgnoreCase("false") &&
                 amAuthCert_chkCRL.equalsIgnoreCase("false") &&
                                 !ocspEnabled) {
                 return ISAuthConstants.LOGIN_SUCCEED;
@@ -458,9 +461,9 @@ public int process (Callback[] callbacks, int state)
         if (ldapParam == null) {
             setLdapStoreParam();
         }
-        
-        if (amAuthCert_chkCertInLDAP.equalsIgnoreCase("true")) { 
-            X509Certificate ldapcert = 
+
+        if (amAuthCert_chkCertInLDAP.equalsIgnoreCase("true")) {
+            X509Certificate ldapcert =
                 AMCertStore.getRegisteredCertificate(
                     ldapParam, thecert, amAuthCert_chkAttrCertInLDAP);
             if (ldapcert == null) {
@@ -477,14 +480,14 @@ public int process (Callback[] callbacks, int state)
     	    setFailureID(userTokenId);
             throw new AuthLoginException(amAuthCert, "CertVerifyFailed", null);
         }
-        
+
         return ISAuthConstants.LOGIN_SUCCEED;
     }
 
     private int doJCERevocationValidation(X509Certificate[] allCerts)
         throws AuthLoginException {
     	int ret = ISAuthConstants.LOGIN_IGNORE;
-		
+
     	try {
             Vector crls = new Vector();
             for (X509Certificate cert : allCerts) {
@@ -514,7 +517,7 @@ private int doJCERevocationValidation(X509Certificate[] allCerts)
     	}catch (Exception e) {
             debug.error("Cert.doRevocationValidation: verify failed.", e);
     	}
-        
+
         return ret;
     }
 
@@ -534,13 +537,13 @@ private void setLdapStoreParam() throws AuthLoginException {
 
             ldapParam.setDoCRLCaching(doCRLCaching);
             ldapParam.setDoCRLUpdate(doCRLUpdate);
-            
+
         } catch (Exception e) {
             debug.error("validate.SSLSocketFactory", e);
             setFailureID(userTokenId);
             throw new AuthLoginException(amAuthCert,"sslSokFactoryFail", null);
         }
-            
+
         return;
     }
 
@@ -550,7 +553,7 @@ private void getTokenFromCert(X509Certificate cert)
 	    getTokenFromSubjectAltExt(cert);
 	}
 
-	if (!amAuthCert_userProfileMapper.equalsIgnoreCase("none") && 
+	if (!amAuthCert_userProfileMapper.equalsIgnoreCase("none") &&
 	    (userTokenId == null)) {
 	    getTokenFromSubjectDN(cert);
 	}
@@ -559,42 +562,39 @@ private void getTokenFromCert(X509Certificate cert)
     private void getTokenFromSubjectAltExt(X509Certificate cert)
         throws AuthLoginException {
         try {
-            X509CertImpl certImpl = 
+            X509CertImpl certImpl =
                 new X509CertImpl(cert.getEncoded());
-            X509CertInfo cinfo = 
+            X509CertInfo cinfo =
                 new X509CertInfo(certImpl.getTBSCertificate());
-            CertificateExtensions exts = (CertificateExtensions) 
-                            cinfo.get(X509CertInfo.EXTENSIONS);
-            SubjectAlternativeNameExtension altNameExt = 
-                (SubjectAlternativeNameExtension)
-                    exts.get(SubjectAlternativeNameExtension.NAME);
+            CertificateExtensions exts = SunSecurityProviderCompat.getExtensions(cinfo);
+            SubjectAlternativeNameExtension altNameExt = SunSecurityProviderCompat.getSanExtension(exts);
 
             if (altNameExt != null) {
-                GeneralNames names = altNameExt.get(SubjectAlternativeNameExtension.SUBJECT_NAME);
-        
+                GeneralNames names = SunSecurityProviderCompat.getSubjectAlternativeNames(altNameExt);
+
                 Iterator itr = names.iterator();
                 while ((userTokenId == null) && itr.hasNext()) {
                     GeneralName generalname = (GeneralName) itr.next();
                     if (generalname != null) {
                         if (amAuthCert_subjectAltExtMapper.
-                        	equalsIgnoreCase("UPN") && 
-                        	(generalname.getType() == 
+                        	equalsIgnoreCase("UPN") &&
+                        	(generalname.getType() ==
                 	        GeneralNameInterface.NAME_ANY)) {
-                            OtherName othername = 
-                                (OtherName)generalname.getName(); 
+                            OtherName othername =
+                                (OtherName)generalname.getName();
                             if (UPNOID.equals(othername.getOID().toString())) {
-                                byte[] nval = othername.getNameValue(); 
-                                DerValue derValue = new DerValue(nval); 
-                                userTokenId = 
-                                    derValue.getData().getUTF8String(); 
-                            } 
+                                byte[] nval = othername.getNameValue();
+                                DerValue derValue = new DerValue(nval);
+                                userTokenId =
+                                    derValue.getData().getUTF8String();
+                            }
                         }else if (amAuthCert_subjectAltExtMapper.
-                            equalsIgnoreCase("RFC822Name") && 
-                            (generalname.getType() == 
+                            equalsIgnoreCase("RFC822Name") &&
+                            (generalname.getType() ==
                 	        GeneralNameInterface.NAME_RFC822)) {
-                            RFC822Name email = 
-                                (RFC822Name) generalname.getName(); 
-                            userTokenId = email.getName(); 
+                            RFC822Name email =
+                                (RFC822Name) generalname.getName();
+                            userTokenId = email.getName();
                         }
                     }
                 }
@@ -604,14 +604,14 @@ private void getTokenFromSubjectAltExt(X509Certificate cert)
                     "Error in getTokenFromSubjectAltExt = " , e);
             throw new AuthLoginException(amAuthCert, "CertNoReg", null);
         }
-            
+
     }
 
     private void getTokenFromSubjectDN(X509Certificate cert)
         throws AuthLoginException {
     /*
      * The certificate has passed the authentication steps
-     * so return the part of the certificate as specified 
+     * so return the part of the certificate as specified
      * in the profile server.
      */
         try {
@@ -654,6 +654,7 @@ private void getTokenFromSubjectDN(X509Certificate cert)
         }
     }
 
+    @Override
     public java.security.Principal getPrincipal() {
         if (userPrincipal != null) {
             return userPrincipal;
@@ -666,7 +667,7 @@ public java.security.Principal getPrincipal() {
     }
 
     /**
-     * Return value of Certificate 
+     * Return value of Certificate
      * @return X509Certificate for auth
      */
     public X509Certificate getCertificate() {
@@ -674,47 +675,47 @@ public X509Certificate getCertificate() {
     }
 
     /**
-     * Return value of Attribute Name for CRL checking 
+     * Return value of Attribute Name for CRL checking
      * @return value for attribute name to search crl from ldap store
      */
     public String getChkAttrCRL() {
        return amAuthCert_chkAttrCRL;
     }
-        
+
     /**
-     * Return value of Debug object for this module 
+     * Return value of Debug object for this module
      *
-     * @return debug 
+     * @return debug
      */
     public com.sun.identity.shared.debug.Debug getDebug() {
        return debug;
     }
 
     /**
-     * Return value of URI parameter for getting CRL 
+     * Return value of URI parameter for getting CRL
      *
-     * @return value of URI parameter for getting CRL 
+     * @return value of URI parameter for getting CRL
      */
     public String getUriParamsCRL() {
        return amAuthCert_uriParamsCRL;
     }
 
     /**
-     * Return value of LDAP Search loc for directory server 
+     * Return value of LDAP Search loc for directory server
      *
-     * @return value of LDAP Search loc for directory server  
+     * @return value of LDAP Search loc for directory server
      */
     public String getStartSearchLoc() {
        return amAuthCert_startSearchLoc;
     }
-                        
+
     private X509Certificate sendCallback() throws AuthLoginException {
         if (callbackHandler == null) {
             throw new AuthLoginException(amAuthCert, "NoCallbackHandler", null);        }
         X509Certificate cert = null;
         try {
             Callback[] callbacks = new Callback[1];
-            callbacks[0] = 
+            callbacks[0] =
                 new X509CertificateCallback (bundle.getString("certificate"));
             callbackHandler.handle(callbacks);
             X509CertificateCallback xcb = (X509CertificateCallback)callbacks[0];
@@ -742,10 +743,10 @@ private X509Certificate sendCallback() throws AuthLoginException {
             throw new AuthLoginException(ioe);
         } catch (UnsupportedCallbackException uce) {
             throw new AuthLoginException(amAuthCert, "NoCallbackHandler", null);
-        }    
+        }
     }
 
-    private X509Certificate getPortalStyleCert (HttpServletRequest request) 
+    private X509Certificate getPortalStyleCert (HttpServletRequest request)
        throws AuthLoginException {
        String certParam = null;
 
@@ -771,9 +772,9 @@ private X509Certificate getPortalStyleCert (HttpServletRequest request)
            debug.message("getPortalStyleCert: checking cert in userCert param");
            Map<String, String> requestHash = getLoginState("getPortalStyleCert()").getRequestParamHash();
            if (requestHash != null) {
-               certParam = (String) requestHash.get("IDToken0"); 
+               certParam = requestHash.get("IDToken0");
                if (certParam == null) {
-                   certParam = (String) requestHash.get("Login.Token0"); 
+                   certParam = requestHash.get("Login.Token0");
                }
            }
        }
@@ -809,7 +810,7 @@ private X509Certificate getPortalStyleCert (HttpServletRequest request)
        }
 
        if (debug.messageEnabled()) {
-           debug.message("X509Certificate: principal is: " + 
+           debug.message("X509Certificate: principal is: " +
                userCert.getSubjectDN().getName() +
                "\nissuer DN:" + userCert.getIssuerDN().getName() +
                "\nserial number:" + String.valueOf(userCert.getSerialNumber()) +
@@ -821,6 +822,7 @@ private X509Certificate getPortalStyleCert (HttpServletRequest request)
     /**
      * Destroy the state of module
      */
+    @Override
     public void destroyModuleState() {
         userPrincipal = null;
         userTokenId = null;
@@ -829,6 +831,7 @@ public void destroyModuleState() {
     /**
      * Initialize all member variables as null
      */
+    @Override
     public void nullifyUsedVars() {
         bundle = null;
         thecert = null;
@@ -852,12 +855,12 @@ public void nullifyUsedVars() {
         portalGateways = null;
         amAuthCert_updateCRL = null;
     }
-    
+
     private String[] trimItems(String[] items) {
         String[] trimmedItems = new String[items.length];
         for (int i = 0; i < items.length; i++) {
             trimmedItems[i] = items[i].trim();
         }
         return trimmedItems;
-    }    
+    }
 }
diff --git a/openam-certs/src/main/java/com/sun/identity/security/cert/AMCRLStore.java b/openam-certs/src/main/java/com/sun/identity/security/cert/AMCRLStore.java
index e4cb51f06f..a28c6f5a20 100644
--- a/openam-certs/src/main/java/com/sun/identity/security/cert/AMCRLStore.java
+++ b/openam-certs/src/main/java/com/sun/identity/security/cert/AMCRLStore.java
@@ -25,6 +25,7 @@
  * $Id: AMCRLStore.java,v 1.7 2009/01/28 05:35:12 ww203982 Exp $
  *
  * Portions Copyrighted 2013-2016 ForgeRock AS.
+ * Portions Copyrighted 2025 Wren Security
  */
 package com.sun.identity.security.cert;
 
@@ -32,12 +33,13 @@
 
 import com.forgerock.opendj.ldap.controls.TransactionIdControl;
 import com.iplanet.security.x509.CertUtils;
-import com.iplanet.security.x509.IssuingDistributionPointExtension;
 import com.sun.identity.common.HttpURLConnectionManager;
 import com.sun.identity.shared.encode.URLEncDec;
 import sun.security.x509.CRLDistributionPointsExtension;
 import sun.security.x509.DistributionPoint;
+import sun.security.x509.DistributionPointName;
 import sun.security.x509.GeneralNames;
+import sun.security.x509.IssuingDistributionPointExtension;
 import sun.security.x509.PKIXExtensions;
 import sun.security.x509.X509CertImpl;
 
@@ -346,7 +348,7 @@ private IssuingDistributionPointExtension getCRLIDPExt(X509CRL crl) {
                     crl.getExtensionValue(
                             PKIXExtensions.IssuingDistributionPoint_Id.toString());
             if (ext != null) {
-                idpExt = new IssuingDistributionPointExtension(ext);
+                idpExt = new IssuingDistributionPointExtension(true, ext);
             }
         } catch (Exception e) {
             debug.error("Error finding CRL distribution Point configured: ", e);
@@ -371,10 +373,10 @@ private IssuingDistributionPointExtension getCRLIDPExt(X509CRL crl) {
 
         List dps = null;
         try {
-            dps = (List) dpExt.get(CRLDistributionPointsExtension.POINTS);
-        } catch (IOException ioex) {
+            dps = SunSecurityProviderCompat.getDistributionPoints(dpExt);
+        } catch (Exception ex) {
             if (debug.warningEnabled()) {
-                debug.warning("AMCRLStore.getUpdateCRLFromCrlDP: ", ioex);
+                debug.warning("AMCRLStore.getUpdateCRLFromCrlDP: ", ex);
             }
         }
 
@@ -415,8 +417,17 @@ private IssuingDistributionPointExtension getCRLIDPExt(X509CRL crl) {
      * @param idpExt
      */
     private synchronized X509CRL getUpdateCRLFromCrlIDP(IssuingDistributionPointExtension idpExt) {
+        GeneralNames gName = null;
+        try {
+            DistributionPointName dpName = SunSecurityProviderCompat.getDistributionPoint(idpExt);
+            if (dpName != null) {
+                gName = dpName.getFullName();
+            }
+        } catch (Exception e) {
+            debug.error("Error getting distribution point name", e);
+            return null;
+        }
 
-        GeneralNames gName = idpExt.getFullName();
         if (gName == null) {
             return null;
         }
@@ -573,7 +584,7 @@ private byte[] getCRLByLdapURI(String uri) {
 
             SearchResultEntry entry = results.readEntry();
 
-            /* 
+            /*
             * Retrieve the certificate revocation list if available.
             */
             Attribute crlAttribute = entry.getAttribute(CERTIFICATE_REVOCATION_LIST);
diff --git a/openam-certs/src/main/java/com/sun/identity/security/cert/SunSecurityProviderCompat.java b/openam-certs/src/main/java/com/sun/identity/security/cert/SunSecurityProviderCompat.java
new file mode 100644
index 0000000000..280c1cf686
--- /dev/null
+++ b/openam-certs/src/main/java/com/sun/identity/security/cert/SunSecurityProviderCompat.java
@@ -0,0 +1,111 @@
+/*
+ * The contents of this file are subject to the terms of the Common Development and
+ * Distribution License (the License). You may not use this file except in compliance with the
+ * License.
+ *
+ * You can obtain a copy of the License at legal/CDDLv1.1.txt. See the License for the
+ * specific language governing permission and limitations under the License.
+ *
+ * When distributing Covered Software, include this CDDL Header Notice in each file and include
+ * the License file at legal/CDDLv1.1.txt. If applicable, add the following below the CDDL
+ * Header, with the fields enclosed by brackets [] replaced by your own identifying
+ * information: "Portions copyright [year] [name of copyright owner]".
+ *
+ * Copyright Wren Security 2025
+ */
+package com.sun.identity.security.cert;
+
+import java.lang.reflect.Method;
+import java.util.List;
+
+import sun.security.x509.CRLDistributionPointsExtension;
+import sun.security.x509.CertificateExtensions;
+import sun.security.x509.DistributionPoint;
+import sun.security.x509.DistributionPointName;
+import sun.security.x509.GeneralNames;
+import sun.security.x509.IssuingDistributionPointExtension;
+import sun.security.x509.SubjectAlternativeNameExtension;
+import sun.security.x509.X509CertInfo;
+
+/**
+ * Utility methods for maintaining compatibility with older supported JDK versions.
+ *
+ * <p>
+ * This class exists only because we are using JDK internals that are not guaranteed being stable across releases.
+ * Ideally the whole X.509 code that relies on <code>sun.security.x509</code> should be replaced. Using reflection
+ * gets rid of build time type checking and makes the codebase less future-proof.
+ *
+ * <p>
+ * Issues solved by this class:
+ * <ul>
+ * <li> binary incompatibility introduced by https://bugs.openjdk.org/browse/JDK-8296072
+ */
+@SuppressWarnings({ "restriction", "unchecked" })
+public final class SunSecurityProviderCompat {
+
+    public static List<DistributionPoint> getDistributionPoints(CRLDistributionPointsExtension extension) throws Exception {
+        try {
+            Method typesafeGetter = CRLDistributionPointsExtension.class.getMethod("getDistributionPoints");
+            return (List<DistributionPoint>) typesafeGetter.invoke(extension);
+        } catch (NoSuchMethodException e) { /* fall through */ }
+        try {
+            Method legacyGetter = CRLDistributionPointsExtension.class.getMethod("get", String.class);
+            return (List<DistributionPoint>) legacyGetter.invoke(extension, "points");
+        } catch (NoSuchMethodException e) {
+            throw new IllegalStateException("Unsupported SUN provider implementation", e);
+        }
+    }
+
+    public static DistributionPointName getDistributionPoint(IssuingDistributionPointExtension extension) throws Exception {
+        try {
+            Method typesafeGetter = IssuingDistributionPointExtension.class.getMethod("getDistributionPoint");
+            return (DistributionPointName) typesafeGetter.invoke(extension);
+        } catch (NoSuchMethodException e) { /* fall through */ }
+        try {
+            Method legacyGetter = IssuingDistributionPointExtension.class.getMethod("get", String.class);
+            return (DistributionPointName) legacyGetter.invoke(extension, "point");
+        } catch (NoSuchMethodException e) {
+            throw new IllegalStateException("Unsupported SUN provider implementation", e);
+        }
+    }
+
+    public static CertificateExtensions getExtensions(X509CertInfo certInfo) throws Exception {
+        try {
+            Method typesafeGetter = X509CertInfo.class.getMethod("getExtensions");
+            return (CertificateExtensions) typesafeGetter.invoke(certInfo);
+        } catch (NoSuchMethodException e) { /* fall through */ }
+        try {
+            Method legacyGetter = X509CertInfo.class.getMethod("get", String.class);
+            return (CertificateExtensions) legacyGetter.invoke(certInfo, X509CertInfo.EXTENSIONS);
+        } catch (NoSuchMethodException e) {
+            throw new IllegalStateException("Unsupported SUN provider implementation", e);
+        }
+    }
+
+    public static SubjectAlternativeNameExtension getSanExtension(CertificateExtensions extensions) throws Exception {
+        try {
+            Method typesafeGetter = CertificateExtensions.class.getMethod("getExtension", String.class);
+            return (SubjectAlternativeNameExtension) typesafeGetter.invoke(extensions, SubjectAlternativeNameExtension.NAME);
+        } catch (NoSuchMethodException e) { /* fall through */ }
+        try {
+            Method getter = CertificateExtensions.class.getMethod("get", String.class);
+            return (SubjectAlternativeNameExtension) getter.invoke(extensions, SubjectAlternativeNameExtension.NAME);
+        } catch (NoSuchMethodException e) {
+            throw new IllegalStateException("Unsupported SUN provider implementation", e);
+        }
+    }
+
+    public static GeneralNames getSubjectAlternativeNames(SubjectAlternativeNameExtension extension) throws Exception {
+        try {
+            Method typesafeGetter = SubjectAlternativeNameExtension.class.getMethod("getNames");
+            return (GeneralNames) typesafeGetter.invoke(extension);
+        } catch (NoSuchMethodException e) { /* fall through */ }
+        try {
+            Method legacyGetter = SubjectAlternativeNameExtension.class.getMethod("get", String.class);
+            return (GeneralNames) legacyGetter.invoke(extension, "subject_name");
+        } catch (NoSuchMethodException e) {
+            throw new IllegalStateException("Unsupported SUN provider implementation", e);
+        }
+    }
+
+}
diff --git a/openam-certs/src/test/java/com/sun/identity/security/cert/SunSecurityProviderCompatTest.java b/openam-certs/src/test/java/com/sun/identity/security/cert/SunSecurityProviderCompatTest.java
new file mode 100644
index 0000000000..5e0262e363
--- /dev/null
+++ b/openam-certs/src/test/java/com/sun/identity/security/cert/SunSecurityProviderCompatTest.java
@@ -0,0 +1,84 @@
+package com.sun.identity.security.cert;
+
+import static org.testng.Assert.assertFalse;
+import static org.testng.Assert.assertNotNull;
+
+import java.io.InputStream;
+import java.security.cert.CertificateFactory;
+import java.util.List;
+import org.testng.annotations.Test;
+import sun.security.x509.CRLDistributionPointsExtension;
+import sun.security.x509.CertificateExtensions;
+import sun.security.x509.DistributionPoint;
+import sun.security.x509.DistributionPointName;
+import sun.security.x509.GeneralNames;
+import sun.security.x509.IssuingDistributionPointExtension;
+import sun.security.x509.SubjectAlternativeNameExtension;
+import sun.security.x509.X509CRLImpl;
+import sun.security.x509.X509CertImpl;
+import sun.security.x509.X509CertInfo;
+
+/**
+ * {@link SunSecurityProviderCompat} test cases.
+ */
+@SuppressWarnings("restriction")
+public class SunSecurityProviderCompatTest {
+
+    @Test
+    public void testSubjectAlternativeNameExtraction() throws Exception {
+        X509CertImpl cert = readCertificate("/compat/user.cert.pem");
+        assertNotNull(cert);
+
+        X509CertInfo certInfo = new X509CertInfo(cert.getTBSCertificate());
+        assertNotNull(certInfo);
+
+        CertificateExtensions extensions = SunSecurityProviderCompat.getExtensions(certInfo);
+        assertNotNull(extensions);
+
+        SubjectAlternativeNameExtension sanExtension = SunSecurityProviderCompat.getSanExtension(extensions);
+        assertNotNull(sanExtension);
+
+        GeneralNames sanValues = SunSecurityProviderCompat.getSubjectAlternativeNames(sanExtension);
+        assertNotNull(sanValues);
+        assertFalse(sanValues.names().isEmpty());
+    }
+
+    @Test
+    public void testDistributionPointExtraction() throws Exception {
+        X509CertImpl cert = readCertificate("/compat/user.cert.pem");
+        assertNotNull(cert);
+
+        CRLDistributionPointsExtension crlDistributionPointsExtension = cert.getCRLDistributionPointsExtension();
+        assertNotNull(crlDistributionPointsExtension);
+
+        List<DistributionPoint> distributionPoints = SunSecurityProviderCompat
+                .getDistributionPoints(crlDistributionPointsExtension);
+        assertFalse(distributionPoints.isEmpty());
+    }
+
+    @Test
+    public void testRevocationListIssuerExtraction() throws Exception {
+        X509CRLImpl crl = readCertificateRevocationList("/compat/sample.crl.pem");
+        assertNotNull(crl);
+
+        IssuingDistributionPointExtension issuingDistributionPointExtension = crl.getIssuingDistributionPointExtension();
+        assertNotNull(issuingDistributionPointExtension);
+
+        DistributionPointName distributionPoint = SunSecurityProviderCompat.getDistributionPoint(issuingDistributionPointExtension);
+        assertNotNull(distributionPoint);
+    }
+
+    private X509CertImpl readCertificate(String path) throws Exception {
+        try (InputStream input = SunSecurityProviderCompatTest.class.getResourceAsStream(path)) {
+            return new X509CertImpl(input);
+        }
+    }
+
+    private X509CRLImpl readCertificateRevocationList(String path) throws Exception {
+        try (InputStream input = SunSecurityProviderCompatTest.class.getResourceAsStream(path)) {
+            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
+            return (X509CRLImpl) certificateFactory.generateCRL(input);
+        }
+    }
+
+}
diff --git a/openam-certs/src/test/resources/compat/.gitignore b/openam-certs/src/test/resources/compat/.gitignore
new file mode 100644
index 0000000000..ab81291d63
--- /dev/null
+++ b/openam-certs/src/test/resources/compat/.gitignore
@@ -0,0 +1,8 @@
+# Only used when issuing new certificate for updating the database
+sample-ca/newcerts
+
+# Not interested in storing old replaced state
+sample-ca/*.old
+
+# Not interested in storing temporary CSR files
+*.csr.pem
diff --git a/openam-certs/src/test/resources/compat/README.md b/openam-certs/src/test/resources/compat/README.md
new file mode 100644
index 0000000000..181fc77467
--- /dev/null
+++ b/openam-certs/src/test/resources/compat/README.md
@@ -0,0 +1,44 @@
+# Sample X509 files
+
+The following commands were used to generate files in this folder:
+
+```sh
+# Generate CA certificate
+openssl genrsa -out sample-ca/ca.key.pem 2048
+openssl req -x509 -new -key sample-ca/ca.key.pem -out sample-ca/ca.cert.pem -days 36500 -subj "/CN=Sample CA"
+
+# Generate user certificate
+openssl genrsa -out user.key.pem 2048
+openssl req -new -key user.key.pem -out user.csr.pem -subj '/CN=john.smith' -addext "subjectAltName=otherName:1.3.6.1.4.1.311.20.2.3;UTF8:john.smith@example.com"
+openssl ca -batch -config sample-ca/openssl.cnf -notext -in user.csr.pem -out user.cert.pem
+
+# Generate revoked certificate
+openssl genrsa -out revoked.key.pem 2048
+openssl req -new -key revoked.key.pem -out revoked.csr.pem -subj '/CN=jane.smith' -addext "subjectAltName=otherName:1.3.6.1.4.1.311.20.2.3;UTF8:jane.smith@example.com"
+openssl ca -batch -config sample-ca/openssl.cnf -notext -in revoked.csr.pem -out revoked.cert.pem 
+openssl ca -config sample-ca/openssl.cnf -revoke revoked.cert.pem
+
+# Generate revocation list
+openssl ca -config sample-ca/openssl.cnf -gencrl -out sample.crl.pem
+```
+
+Removing generated content:
+
+```sh
+# Remove CA data
+rm -f sample-ca/newcerts/*
+echo 0 > sample-ca/crlnumber
+echo -n "" > sample-ca/index.txt
+
+# Remove user certificate
+rm user.key.pem user.key.csr user.cert.pem
+
+# Remove revoked certificate
+rm revoked.key.pem revoked.key.csr revoked.cert.pem
+
+# Remove revocation list
+rm sample.crl.pem
+
+# Remove CA certificate
+rm sample-ca/ca.cert.pem sample-ca/ca.key.pem
+```
diff --git a/openam-certs/src/test/resources/compat/revoked.cert.pem b/openam-certs/src/test/resources/compat/revoked.cert.pem
new file mode 100644
index 0000000000..e08f078fdc
--- /dev/null
+++ b/openam-certs/src/test/resources/compat/revoked.cert.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDijCCAnKgAwIBAgIUKlalqDZrty8Ez0n91YAHxeUWsK0wDQYJKoZIhvcNAQEL
+BQAwFDESMBAGA1UEAwwJU2FtcGxlIENBMCAXDTI1MDcyNTEwMzUwMVoYDzIxMjUw
+NzAxMTAzNTAxWjAVMRMwEQYDVQQDDApqYW5lLnNtaXRoMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEA0bwfXWJ9SQ8QpgNNbYkKLL6dJ9TzQwwjBZyOJxzt
+GI72F2FGQXupGDLMfH8cbAzp87zTlrEYAa35sSVJqktWZu7NlwBvRACFYckpPVrM
+QsLdpKrLvlnW9FGrlSpZoe73fyGmXVJLtHmiV7z9zNnyyncMTKVsv4ssoSj6CWmI
+wzT1JQc8b0/DpoNmPZxjnMMsec6UDXXMOZao5qGRHlTDtvJpDYYsBq7rrTmeU+or
+jLtGtGN69g7kTSuA4wRg5JGIZguIPCano+gYYdnLS4uU+aFD9S8nB3JgliWuu7/D
+uAJ+H/VpZ0KJC69fJ+u7mkd32bZMxtTAtg45ey7eMW21iQIDAQABo4HQMIHNMB8G
+A1UdIwQYMBaAFCNhj+GfqAkE7geJWmfguP+d79hGMAkGA1UdEwQCMAAwKwYDVR0f
+BCQwIjAgoB6gHIYaaHR0cDovL2V4YW1wbGUuY29tL2NybC5wZW0wEwYDVR0lBAww
+CgYIKwYBBQUHAwEwCwYDVR0PBAQDAgWgMDEGA1UdEQQqMCigJgYKKwYBBAGCNxQC
+A6AYDBZqYW5lLnNtaXRoQGV4YW1wbGUuY29tMB0GA1UdDgQWBBR1Ki82NwPhD/Fz
+w3YyeocwwIOvfDANBgkqhkiG9w0BAQsFAAOCAQEAjgEj2lifJuKFR1YOEOcb0FLE
+5geOS9zKfdOC7seJRTX7DLMNPf/ACKtiilu8ULyVGo6ckI6SrAi4ZNAKgPkI3Dij
+eOT9nDH65JD0AkTzAA8bumqoU7+ccBDvywKhNPBy2P/R6rh+dPkQ2GdZjv98Ewnj
+FUeiydepRn2K+BgAjfOWmXnGUgwi7gOGRrjdxaT+urnvVGfpUDPqtWGmF7iTAt/p
+YsYwG7XKA3EWoKDb11C2ifva8uY192RrrJA+SomXkkEAD9CXZWwMdbD0COyAVYek
+HO3xlX4VzRpkGSc/jbl0Zw62bnFR8kSPwEK7dJ45FvPHBX9nXcTeEnMJUzhGyg==
+-----END CERTIFICATE-----
diff --git a/openam-certs/src/test/resources/compat/revoked.key.pem b/openam-certs/src/test/resources/compat/revoked.key.pem
new file mode 100644
index 0000000000..4f0e43250e
--- /dev/null
+++ b/openam-certs/src/test/resources/compat/revoked.key.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDRvB9dYn1JDxCm
+A01tiQosvp0n1PNDDCMFnI4nHO0YjvYXYUZBe6kYMsx8fxxsDOnzvNOWsRgBrfmx
+JUmqS1Zm7s2XAG9EAIVhySk9WsxCwt2kqsu+Wdb0UauVKlmh7vd/IaZdUku0eaJX
+vP3M2fLKdwxMpWy/iyyhKPoJaYjDNPUlBzxvT8Omg2Y9nGOcwyx5zpQNdcw5lqjm
+oZEeVMO28mkNhiwGruutOZ5T6iuMu0a0Y3r2DuRNK4DjBGDkkYhmC4g8Jqej6Bhh
+2ctLi5T5oUP1LycHcmCWJa67v8O4An4f9WlnQokLr18n67uaR3fZtkzG1MC2Djl7
+Lt4xbbWJAgMBAAECggEAD/yieWhN+3kqADWFO+GzxFhdO1GIn2Y37zARR9r1Gaeg
+C4UvKUOnToBkxOKdhIDxflI44KYsGcisnTul41Stx9fRFP8D/C97+0mtmo8mvboD
+0g7wy9gmQeZNyWd6gJTqCadDep6Qxbd1z/FIeUptrtAnQFplsS4HH1uzv27rbVGj
+OrnVRVOghn/3rl/9LQgQb8Pno2ZOwUq8viPiuaWrFfrBynV1WwpvvqCJdJablFus
+fqZRXJ2c6P/ZNeckmWZ4M50dGeLSfjkOKw9XsRpzDWMh5c9GUM2BqGJA9VJ1ca9i
+4Pl7gFs6rf2KDw5aFJ13eJ8dxcB5dBskPe7H/ZJr7wKBgQDwW6mbsVclimVy5Ccl
+aSRhe/7sI/Jiby87nCKkVh6sm2Dyj+Tcsiw1FJowP87est7idQfEeoWKGx3lUbB9
+f8l+ITNtwDJSng2NO/Qz/+2AXzEu75CHOhMh+QzYuF7xFaCkyHnKnctu8fAGD6UH
+rhoxrLkipcbIM86r8yWJwD1x2wKBgQDfYkfs4rhJIyNZB6KELVsfwuLgzi0h6bCu
+dOvHUcl2UL5+jQrcXAdf9htdUIxXLcoAdGhYKuBd7kRT6ahrKwYEXxDmFcYJlhVa
+oz6KltBe3gWhGy93CC+jkvr+Q1z9xrLkNonrTkH7xvlHfKVzLL6ajEbPiGE1pCsW
+e5uqxhUNawKBgBXTTPhtRwuKoKGpJADapkoP11sb/IOBsxlHmUGw7EIiLdB4zoBX
+0XnUcBfXg3JnbaPEmrr1oTCkO7e6DjunIeXJIAFkRW2JGpPrkMY0BB33BuFLMaWF
+2XzpP4hiXYSowRiVd7G1WGavo2r5erPS1GAUXg9OXFmLksW8Y3k5spqnAoGBAIgz
+bXVi+0gks426GP4MhY4FDr5RF7Wgvghw473BAVwxeSTCLIgVWK3K6f5oeVlCYvMK
+BwETC4BaIbEkO3s0XVPW/v+68Oexac280QpBUEU3jCkh4TvrctiCaqUTP6TAPRzm
+oAsnyRWRyTYsKtjhxEmJFDe/iL3jHh50OYLTicyHAoGAYNjsURdYfUeGB8EETs/0
+hWN2hr9690Mj7vP/CDe36kOwTPG53KpFOFlO63EgSHe2FNYjJB2pt+aBNvb8P6dn
+K7dMQ09tgyG3RWUyL6DIsp8TpaWJgoHLcP2QivRiEF4m1MSMSaAGH8+sy9slJ9mx
+WqanIB5RIkf+x77cJau7Iak=
+-----END PRIVATE KEY-----
diff --git a/openam-certs/src/test/resources/compat/sample-ca/ca.cert.pem b/openam-certs/src/test/resources/compat/sample-ca/ca.cert.pem
new file mode 100644
index 0000000000..f15c62dc0b
--- /dev/null
+++ b/openam-certs/src/test/resources/compat/sample-ca/ca.cert.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDCzCCAfOgAwIBAgIUF/GI5Za7EB+at/ZyF7t0zUlEkSQwDQYJKoZIhvcNAQEL
+BQAwFDESMBAGA1UEAwwJU2FtcGxlIENBMCAXDTI1MDcyNTEwMzQxOVoYDzIxMjUw
+NzAxMTAzNDE5WjAUMRIwEAYDVQQDDAlTYW1wbGUgQ0EwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQC/QFwsL/AEY5720JdCmuJmfyuuZRwoP7cd8s3pCKyY
+naJDIlnrZU1cNR0v77f6aos5WRn4BqFRtbDmg1uTLNJEHaNUovr+U+cq6fYM6o8n
+5RKKch1YTQGDUkKOFTh/VVJYwHRMHNUNXFU/2IzJZIpRGJpUXBIVzcpWHTE5nsse
+o7/4k6EFkOnWEeP5twHavLHdYWxFzbIoMRWUh227aCk3Vr8xDHlVmGjUOG+SumjG
+FQBOunG1EFcRhJtNyJLpI0hMskWxzoiG8VLB9JudFSrMHENPpkwG4dQ/LMX7lvrx
+MiBvr3iGm/2CmP5UBS2bLbPPP/XauzhNQiuh9U/V4Sc5AgMBAAGjUzBRMB0GA1Ud
+DgQWBBQjYY/hn6gJBO4HiVpn4Lj/ne/YRjAfBgNVHSMEGDAWgBQjYY/hn6gJBO4H
+iVpn4Lj/ne/YRjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQA3
+Ihwd+dU39x5743hMn3ASYQGsvnbifrVXfYT7OPUvSgWlrRNz9C0/YnmmYDEFj0Kt
+q88hC2pDkiDon3PgkdHy2r3LMyhe4axBXulbrfJYMEjewg/MiyR5H264rpP+fA3k
+g/exsJ6oHbftckjM4MwRM1I7+TUphvNWH48ouVOcoVc8DiBnMdods1Enkz8gDgwx
+VCfuFiqq7LsqTf2p1cMPpQqVgKef9hkUhjXQ5OnpfGhvHMmUKeeFiqOuWNyrp6Yp
+JgiikfGiay0LSkX9bEdm+w4oUpW7V1G90XJQxcruUNNTRJsR3rCMnEf7eUwRqBCU
+2hXcXUCCf4uvN06fukBw
+-----END CERTIFICATE-----
diff --git a/openam-certs/src/test/resources/compat/sample-ca/ca.key.pem b/openam-certs/src/test/resources/compat/sample-ca/ca.key.pem
new file mode 100644
index 0000000000..3790e7514d
--- /dev/null
+++ b/openam-certs/src/test/resources/compat/sample-ca/ca.key.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC/QFwsL/AEY572
+0JdCmuJmfyuuZRwoP7cd8s3pCKyYnaJDIlnrZU1cNR0v77f6aos5WRn4BqFRtbDm
+g1uTLNJEHaNUovr+U+cq6fYM6o8n5RKKch1YTQGDUkKOFTh/VVJYwHRMHNUNXFU/
+2IzJZIpRGJpUXBIVzcpWHTE5nsseo7/4k6EFkOnWEeP5twHavLHdYWxFzbIoMRWU
+h227aCk3Vr8xDHlVmGjUOG+SumjGFQBOunG1EFcRhJtNyJLpI0hMskWxzoiG8VLB
+9JudFSrMHENPpkwG4dQ/LMX7lvrxMiBvr3iGm/2CmP5UBS2bLbPPP/XauzhNQiuh
+9U/V4Sc5AgMBAAECggEAM8/BSL1B5kaAybevyr0ACal5EXlV2/eK6cOeEfwmGgBW
+dZ6IQrPCdfDzs8lbC62ygvpHBUDykhrJTmGWvPPfENIArgyrN5xOW3tfi5c96h5u
+W/BXT9UozEVMP4azNBfOw7l7qCUFeOWjOLU3StYAfMDQCnuY8Kw8HQEylTwWJfnZ
+sYuRTF9v9UyCtb52m6Jg/j80ijIMonVBRAaqS7bFL/fpKOULrqVvCzyWVWJZgzYm
+fm3hb4XGfRtsPSdfXxzAzjCIB64A7TNLjjOq+rlbRf90lJAw0999HXJYOhV+JIOQ
++5XVYIRafSjEZ3fkfHui9FLE2m+ew6kZoIdU8s58QwKBgQDlCinBqUPyZWbRgnUd
+p0ElLGNjxcHmEKzpnn+0AG8yK7mbVUji5BpNEnMpoy8LiC90Y9QSvmzmYIjt91oL
+9hXcI7kParc4RDresIbjg3KojIaMZdQBpXPWkH5Q7XLkhJ/TN28Y98jGX1p5kMYP
+PI7dEnkicCr44yQ+LghHIqyIdwKBgQDVw33z+vv2tzwVKmyECHFEXyXceTtcQHBM
+naLgDrdnX0kBCidfVryY3CBdCtniO8Kkh4qL1/WQEYpY0CPQuyYNFwnrm0LDZk1x
+t8TOetPfMc+9/iXtyBg/zupbpJskGa555tLP3Iv1CpWQgOL33aRN8jIFPNz7axIM
+qR/9mkppzwKBgCRQizRYeRx6tWWskJMmDK8vLYcJOOgYZsIXzlmk4/yJcEFPsWHA
+Fud3cGj+pZvneNa0aVCbfrq8PZm1aUKSPv8LbvEh03EJaGgchxaVpd1RgpfKIWYt
+bINtn4mHTHstCAY+ONA1oVDKl5bEvJJ34JLuteQe8sFJilqNg+R7e+2bAoGBAK2c
+n7BHONqQyTh7gzTc0nlwOYTN5XswTsS7Bqyo5yYKynUQtReGj5gquBI5HOrUFGqi
+NtELLcK7rDwjl+MQDIB3JLR5HgkrDlz8ntgABBHzF8E8J7vuVluEhuy1TNdOEFmr
+Ma5mdjknRn/dXflnxukTerKsUuHTfQ5RUc0bwbIbAoGAC+gfDEv5jVa7bWQmi5SN
+36kZ9rt3YIfSI0baRsubNrkhWtXqqJq6IKdwQpFjYU3Y20i4MO/uErEUIRJ3urvf
+9V/a1/LkRFyQGczrOozOycKghVtDaPbqWXxsmN5zQ9ZWsPu42JRp9Qdrx4MslyNT
+o1uWSRlBkp7le4ZRMqLmB6U=
+-----END PRIVATE KEY-----
diff --git a/openam-certs/src/test/resources/compat/sample-ca/crlnumber b/openam-certs/src/test/resources/compat/sample-ca/crlnumber
new file mode 100644
index 0000000000..dd11724042
--- /dev/null
+++ b/openam-certs/src/test/resources/compat/sample-ca/crlnumber
@@ -0,0 +1 @@
+1001
diff --git a/openam-certs/src/test/resources/compat/sample-ca/index.txt b/openam-certs/src/test/resources/compat/sample-ca/index.txt
new file mode 100644
index 0000000000..fd94c99d32
--- /dev/null
+++ b/openam-certs/src/test/resources/compat/sample-ca/index.txt
@@ -0,0 +1,2 @@
+V	21250701103450Z		41B204F4F08864F67F09099E68F2E0A891EE42F4	unknown	/CN=john.smith
+R	21250701103501Z	250725103504Z	2A56A5A8366BB72F04CF49FDD58007C5E516B0AD	unknown	/CN=jane.smith
diff --git a/openam-certs/src/test/resources/compat/sample-ca/index.txt.attr b/openam-certs/src/test/resources/compat/sample-ca/index.txt.attr
new file mode 100644
index 0000000000..3a7e39e6ee
--- /dev/null
+++ b/openam-certs/src/test/resources/compat/sample-ca/index.txt.attr
@@ -0,0 +1 @@
+unique_subject = no
diff --git a/openam-certs/src/test/resources/compat/sample-ca/openssl.cnf b/openam-certs/src/test/resources/compat/sample-ca/openssl.cnf
new file mode 100644
index 0000000000..861f9bb011
--- /dev/null
+++ b/openam-certs/src/test/resources/compat/sample-ca/openssl.cnf
@@ -0,0 +1,50 @@
+[ ca ]
+default_ca = sample_ca
+
+[ req ]
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+prompt = no
+
+[ sample_ca ]
+dir               = ./sample-ca
+certs             = $dir/certs
+crl_dir           = $dir/crl
+new_certs_dir     = $dir/newcerts
+database          = $dir/index.txt
+serial            = $dir/serial
+crlnumber         = $dir/crlnumber
+crl_extensions    = crl_ext
+private_key       = $dir/ca.key.pem
+certificate       = $dir/ca.cert.pem
+
+rand_serial       = true
+unique_subject    = false
+default_days      = 36500
+default_crl_days  = 36500
+default_md        = sha256
+policy            = policy_any
+copy_extensions   = copy
+x509_extensions   = usr_cert
+
+[ policy_any ]
+commonName        = supplied
+
+[v3_req]
+subjectAltName = @alt_names
+
+[ usr_cert ]
+authorityKeyIdentifier = keyid, issuer
+basicConstraints       = CA:FALSE
+crlDistributionPoints  = URI:http://example.com/crl.pem
+extendedKeyUsage       = serverAuth
+keyUsage               = digitalSignature, keyEncipherment
+
+[ crl_ext ]
+authorityKeyIdentifier   = keyid:always
+issuingDistributionPoint = critical, @idp_section
+
+[ idp_section ]
+fullname        = URI:http://example.com/crl.pem
+indirectCRL     = TRUE
+onlysomereasons = keyCompromise, CACompromise
diff --git a/openam-certs/src/test/resources/compat/sample.crl.pem b/openam-certs/src/test/resources/compat/sample.crl.pem
new file mode 100644
index 0000000000..98e62d6686
--- /dev/null
+++ b/openam-certs/src/test/resources/compat/sample.crl.pem
@@ -0,0 +1,13 @@
+-----BEGIN X509 CRL-----
+MIIB7zCB2AIBATANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAlTYW1wbGUgQ0EX
+DTI1MDcyNTEwNDExNloYDzIxMjUwNzAxMTA0MTE2WjAnMCUCFCpWpag2a7cvBM9J
+/dWAB8XlFrCtFw0yNTA3MjUxMDM1MDRaoGUwYzAfBgNVHSMEGDAWgBQjYY/hn6gJ
+BO4HiVpn4Lj/ne/YRjAzBgNVHRwBAf8EKTAnoB6gHIYaaHR0cDovL2V4YW1wbGUu
+Y29tL2NybC5wZW2DAgVghAH/MAsGA1UdFAQEAgIQADANBgkqhkiG9w0BAQsFAAOC
+AQEAQSqzILKus22pf/QLH5lWZ9WXKmvEtMd1ecRnyS6P1ogrgc3YCdvKzv08t7G3
+sJhidNXBSgUDYnqr9o2RWezjFinNmmIjgczd04RIV+xZjYFlsdJk/gtLFjMWVhBl
+KiPoKvK37jqaNY2KywhbKSv1S+Qp78lOIskI6DUXUhanmhNE5AQ/CwdWvJ/Nugd7
+JJBGyG9ll+W9D/AiTYuzauK5TPGUVm5vd4XXbqqmiPLxiPnMlqNXzYPi1yPRHv64
+VBoTGhA+4ASjKCrSStD5FBf+aaHGcNNIDDbQ5JGJXtBaHD1weFknyEe4qbSmWyHf
+cWchMcbkau737bwV5WnzRz8IeQ==
+-----END X509 CRL-----
diff --git a/openam-certs/src/test/resources/compat/user.cert.pem b/openam-certs/src/test/resources/compat/user.cert.pem
new file mode 100644
index 0000000000..56153708ba
--- /dev/null
+++ b/openam-certs/src/test/resources/compat/user.cert.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDijCCAnKgAwIBAgIUQbIE9PCIZPZ/CQmeaPLgqJHuQvQwDQYJKoZIhvcNAQEL
+BQAwFDESMBAGA1UEAwwJU2FtcGxlIENBMCAXDTI1MDcyNTEwMzQ1MFoYDzIxMjUw
+NzAxMTAzNDUwWjAVMRMwEQYDVQQDDApqb2huLnNtaXRoMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEApkCAIg/OwyEHD2XiJfhZOH+iNdQt3Ujf+CXIXfbw
+wTvbjel7GLKbysC/rl6ClZM2skKSR7YN/xQPxAzcnIcEM51MKjpw6mpGaz1lZeaI
+I3YmOnspjfzYapEoFbBobeBOnofeFUNG7829G6ViH4jQQufSa5ujrnkxhFnZgmt9
+/ZdD0n/lJU1tjC97fe0OdlyWfcmZEq3HMtvENZf0KjkvF6MlY38tp5oeCnKgyPoB
+9Ey5bp2AtASGCBqTsoHtciMEOK5oqKBWOcRvCuxDnUK8IRviiqGXzW3OIDcUx1fB
+V23IcdhEAG6/4gmGxOm2F+luRsWeSqL+6YVC+ifMKX92xQIDAQABo4HQMIHNMB8G
+A1UdIwQYMBaAFCNhj+GfqAkE7geJWmfguP+d79hGMAkGA1UdEwQCMAAwKwYDVR0f
+BCQwIjAgoB6gHIYaaHR0cDovL2V4YW1wbGUuY29tL2NybC5wZW0wEwYDVR0lBAww
+CgYIKwYBBQUHAwEwCwYDVR0PBAQDAgWgMDEGA1UdEQQqMCigJgYKKwYBBAGCNxQC
+A6AYDBZqb2huLnNtaXRoQGV4YW1wbGUuY29tMB0GA1UdDgQWBBR5O5V5+217V+6R
+d3P7sRfbuJIRzTANBgkqhkiG9w0BAQsFAAOCAQEAnzB56VR9qHsmidZaTg7lQDFC
+fO+Ja/uskniN43YBXsS++IBBGTioR28Yc3s9IO9Jqq0DTzzDJpUTJx4+VPGdKTBm
+dpgmH8woxr+v5NbsN6yhZBZOd2uObVzQJz6CxIP/p/CrKmNvH2YVYDN0UaIdNwkk
+r1j/Guf+LrsnbHODiHzXTApyhXWzNCEhouACjywR2gUCxzwFOjsc9N/Ayt9WldMO
+cGvdbMqzdedUoLYytWzmKWjd2aMNJ+n/xRA1R6EHYeGB4S7iXcpIdtGRcswuYNb7
+pjUd9cV1grH13VS3hVe9cCxT6kYcIe/OZ7Bgm9iW5vZ6VMZnAJAYfRGMAQT7yw==
+-----END CERTIFICATE-----
diff --git a/openam-certs/src/test/resources/compat/user.key.pem b/openam-certs/src/test/resources/compat/user.key.pem
new file mode 100644
index 0000000000..8e44d95d91
--- /dev/null
+++ b/openam-certs/src/test/resources/compat/user.key.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCmQIAiD87DIQcP
+ZeIl+Fk4f6I11C3dSN/4Jchd9vDBO9uN6XsYspvKwL+uXoKVkzayQpJHtg3/FA/E
+DNychwQznUwqOnDqakZrPWVl5ogjdiY6eymN/NhqkSgVsGht4E6eh94VQ0bvzb0b
+pWIfiNBC59Jrm6OueTGEWdmCa339l0PSf+UlTW2ML3t97Q52XJZ9yZkSrccy28Q1
+l/QqOS8XoyVjfy2nmh4KcqDI+gH0TLlunYC0BIYIGpOyge1yIwQ4rmiooFY5xG8K
+7EOdQrwhG+KKoZfNbc4gNxTHV8FXbchx2EQAbr/iCYbE6bYX6W5GxZ5Kov7phUL6
+J8wpf3bFAgMBAAECggEAFXHNdVdPpsjMVdahAJ/Ttl90R3g6gEglp6cL/N7c+Dfl
+3pzGxY1IXjNVpkLHmk6WaBEBOGHJ1WS7keDM1h3uU1APYoUOSpZxxeRx/15oohZb
+4QBBAHEkYz6dCosqNT4RNg61fU2jyUvjAD1pdkLaBj9L25iEWP2F/xnt3g5Kfpq+
+kDb9KfLiTZJKVa1EjmnCYS8qvz5F3F7x4J5RXNYwVSZppgTmuWYIgmtnKJuP09vK
+291rm6WZ7x0XSmBfOpOkSsvfaOFXmtKf+mSVXOz2siCWdMOkOHDSir90yQIE/OjW
+2zsi28TPj5hl3nFN3butJXS/ZMSomRdTPqsKAFK8gQKBgQDbiN+hzZxJtGaGa6tV
+mfnjUiHgZXNRqaKmOdz1RoyApgTGPsaznlnfN6Q/zHWwO07H1MD46RQlSjJPwFY8
+2SsKgfh6Y4O8fTlq6AJtQqIohuEM42Pz9wnOh1xGGfC8s2UYtpYIroL8g8nrnLLy
+KL6kwcX0g1a8djD1LL2LZUDZBQKBgQDB3ev9exd5j6mWLfZ9xcy+QYSviKkgWD7o
+quncEvH6yv4O0arIAa/+XepMNjMtUxHg9KCR/wUauGUcfODjCTPZep+iz7nY22jw
+NZyL6td2HnAtFfBAXpLJY0iZNpd8mFmMzCwTpthq0pVDdiCt8ordWeDif6k/oGiJ
+w3k5FCuSwQKBgQCcvjUtiWg1F6C8CNPj4nQQYeveE5EqlTuUA2xHk39tuxtdkCS+
+yijQvyF+i7TbhvzQoI7HKWNA3KDfYCwydbvNXM7UU4kTYzVDpzNUX2b4GJVGZnRP
+E+rkkrDHPG4tzMg5xOOKf072jAH3P4Jkc8LqT4/O7JdZJ+n8o10R0dFjIQKBgHgs
+ieoSUIXxMQ3AJijm4TkawhZRn41GRpDRya+7Krbs+DnVbIkYyrDiJKfjfSveb5nD
+6nk13UMoBL15B6qU/MgWRDiXjbvInq8wfH8bLz6wNZctH0W3mkQuQEWBWrxIcFJg
+Cf6QkVz+drpf0nghfkUiPs4IlrCzTboAKvff8fbBAoGAeVQcVCFRqJTYXzyY5mNI
+Obw6J0uGsqC5HF8b7qduMerTfeRThVWjyd/6uYvM7sjOzea7ifkqqW95k4nkAhM0
+s3IwCUWLYRfn/Ljq3c4bQ8naRA31tKyP/QT489gibZX3sG+VNJMrFR6H3DE7pkxF
+4sa1qE0ECNp34bxb4Kkz1fg=
+-----END PRIVATE KEY-----
diff --git a/openam-shared/src/main/java/com/iplanet/security/x509/IssuingDistributionPointExtension.java b/openam-shared/src/main/java/com/iplanet/security/x509/IssuingDistributionPointExtension.java
deleted file mode 100644
index fd365afa80..0000000000
--- a/openam-shared/src/main/java/com/iplanet/security/x509/IssuingDistributionPointExtension.java
+++ /dev/null
@@ -1,578 +0,0 @@
-/**
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
- *
- * Copyright (c) 2005 Sun Microsystems Inc. All Rights Reserved
- *
- * The contents of this file are subject to the terms
- * of the Common Development and Distribution License
- * (the License). You may not use this file except in
- * compliance with the License.
- *
- * You can obtain a copy of the License at
- * https://opensso.dev.java.net/public/CDDLv1.0.html or
- * opensso/legal/CDDLv1.0.txt
- * See the License for the specific language governing
- * permission and limitations under the License.
- *
- * When distributing Covered Code, include this CDDL
- * Header Notice in each file and include the License file
- * at opensso/legal/CDDLv1.0.txt.
- * If applicable, add the following below the CDDL Header,
- * with the fields enclosed by brackets [] replaced by
- * your own identifying information:
- * "Portions Copyrighted [year] [name of copyright owner]"
- *
- * $Id: IssuingDistributionPointExtension.java,v 1.2 2008/06/25 05:52:46 qcheng Exp $
- *
- */
-
-package com.iplanet.security.x509;
-
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.OutputStream;
-
-import java.util.*;
-
-
-import sun.security.util.BitArray;
-import sun.security.util.DerInputStream;
-import sun.security.util.DerOutputStream;
-import sun.security.util.DerValue;
-import sun.security.util.ObjectIdentifier;
-import sun.security.x509.AVA;
-import sun.security.x509.Extension;
-import sun.security.x509.GeneralNames;
-import sun.security.x509.PKIXExtensions;
-import sun.security.x509.RDN;
-
-/**
- * A critical CRL extension that identifies the CRL distribution point
- * for a particular CRL
- *
- * <pre>
- * issuingDistributionPoint ::= SEQUENCE {
- *         distributionPoint       [0] DistributionPointName OPTIONAL,
- *         onlyContainsUserCerts   [1] BOOLEAN DEFAULT FALSE,
- *         onlyContainsCACerts     [2] BOOLEAN DEFAULT FALSE,
- *         onlySomeReasons         [3] ReasonFlags OPTIONAL,
- *         indirectCRL             [4] BOOLEAN DEFAULT FALSE }
- *
- * DistributionPointName ::= CHOICE {
- *         fullName                [0]     GeneralNames,
- *         nameRelativeToCRLIssuer [1]     RelativeDistinguishedName }
- *
- * ReasonFlags ::= BIT STRING {
- *         unused                  (0),
- *         keyCompromise           (1),
- *         cACompromise            (2),
- *         affiliationChanged      (3),
- *         superseded              (4),
- *         cessationOfOperation    (5),
- *         certificateHold         (6) }
- *
- * GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
- *
- * GeneralName ::= CHOICE {
- *         otherName                       [0]     OtherName,
- *         rfc822Name                      [1]     IA5String,
- *         dNSName                         [2]     IA5String,
- *         x400Address                     [3]     ORAddress,
- *         directoryName                   [4]     Name,
- *         ediPartyName                    [5]     EDIPartyName,
- *         uniformResourceIdentifier       [6]     IA5String,
- *         iPAddress                       [7]     OCTET STRING,
- *         registeredID                    [8]     OBJECT IDENTIFIER}
- *
- * OtherName ::= SEQUENCE {
- *         type-id    OBJECT IDENTIFIER,
- *         value      [0] EXPLICIT ANY DEFINED BY type-id }
- *
- * EDIPartyName ::= SEQUENCE {
- *         nameAssigner            [0]     DirectoryString OPTIONAL,
- *         partyName               [1]     DirectoryString }
- *
- * RelativeDistinguishedName ::=
- *         SET OF AttributeTypeAndValue
- *
- * AttributeTypeAndValue ::= SEQUENCE {
- *         type     AttributeType,
- *         value    AttributeValue }
- *
- * AttributeType ::= OBJECT IDENTIFIER
- *
- * AttributeValue ::= ANY DEFINED BY AttributeType
- * </pre>
- */
-public class IssuingDistributionPointExtension extends Extension {
-
-
-    /**
-     * Identifier for this attribute, to be used with the
-     * get, set, delete methods of Certificate, x509 type.
-     */
-    public static final String IDENT = 
-    				"x509.info.extensions.IssuingDistributionPoint";
-
-    // reason flag bits
-    public final static int KEY_COMPROMISE         = 1;
-    public final static int CA_COMPROMISE          = 2;
-    public final static int AFFILIATION_CHANGED    = 3;
-    public final static int SUPERSEDED             = 4;
-    public final static int CESSATION_OF_OPERATION = 5;
-    public final static int CERTIFICATE_HOLD       = 6;
-    
-    private static final String[] REASON_STRINGS = {
-	null,
-	"key compromise",
-	"CA compromise",
-	"affiliation changed",
-	"superseded",
-	"cessation of operation",
-	"certificate hold"
-    };
-
-    /**
-     * Attribute name.
-     */
-    public static final String NAME = "IssuingDistributionPoint";
-
-    // context specific tag values
-    private static final byte TAG_DIST_PT = 0;
-    private static final byte TAG_ONLY_USER_CERTS = 1;
-    private static final byte TAG_ONLY_CA_CERTS = 2;
-    private static final byte TAG_REASONS = 3;
-    private static final byte TAG_INDIRECT_CRL = 4;
-
-    private static final byte TAG_FULL_NAME = 0;
-    private static final byte TAG_REL_NAME = 1;
-
-
-    // only one of fullName and relativeName can be set
-    private GeneralNames fullName = null;
-    private RDN relativeName = null;
-
-    private boolean onlyContainsUserCerts = false;
-    private boolean onlyContainsCACerts = false;
-
-    // onlySomeReasons or null
-    private boolean[] reasonFlags = null;
-    
-    private boolean indirectCRL = false;
-
-    
-    // cached hashCode value
-    private volatile int hashCode;
-
-
-    /**
-     * Create a IssuingDistributionPointExtension.
-     *
-     * @param fullName the GeneralNames of the distribution point; may be null
-     * @param onlyContainsUserCerts the 'onlyContainsUserCerts' attribute
-     * @param onlyContainsCACerts the 'onlyContainsCACerts' attribute
-     * @param reasonFlags the 'reasonFlags' attribute
-     * @param indirectCRL the 'indirectCRL' attribute
-     * @param critical true if this is a critical extension
-     * @throws IOException on error
-     */
-    public IssuingDistributionPointExtension(GeneralNames fullName,
-                                             boolean onlyContainsUserCerts,
-                                             boolean onlyContainsCACerts,
-                                             boolean[] reasonFlags,
-                                             boolean indirectCRL,
-                                             boolean critical)
-	    throws IOException {
-        this.extensionId = PKIXExtensions.IssuingDistributionPoint_Id;
-        this.critical = critical;
-
-        this.fullName = fullName;
-        this.onlyContainsUserCerts = onlyContainsUserCerts;
-        this.onlyContainsCACerts = onlyContainsCACerts;
-	this.reasonFlags = reasonFlags;
-        this.indirectCRL = indirectCRL;
-
-        encodeThis();
-    }
-
-    /**
-     * Create a IssuingDistributionPointExtension.
-     *
-     * @param relativeName the RelativeDistinguishedName of the distribution 
-     *        point; may not be null
-     * @param onlyContainsUserCerts the 'onlyContainsUserCerts' attribute
-     * @param onlyContainsCACerts the 'onlyContainsCACerts' attribute
-     * @param reasonFlags the 'reasonFlags' attribute
-     * @param indirectCRL the 'indirectCRL' attribute
-     * @param critical true if this is a critical extension
-     * @throws IOException on error
-     */
-    public IssuingDistributionPointExtension(RDN relativeName,
-                                             boolean onlyContainsUserCerts,
-                                             boolean onlyContainsCACerts,
-                                             boolean[] reasonFlags,
-                                             boolean indirectCRL,
-                                             boolean critical)
-	    throws IOException {
-        this.extensionId = PKIXExtensions.IssuingDistributionPoint_Id;
-        this.critical = critical;
-
-        this.relativeName = relativeName;
-        this.onlyContainsUserCerts = onlyContainsUserCerts;
-        this.onlyContainsCACerts = onlyContainsCACerts;
-	this.reasonFlags = reasonFlags;
-        this.indirectCRL = indirectCRL;
-
-        encodeThis();
-    }
-
-
-    /**
-     * Create the extension from the passed DER encoded value of the same.
-     *
-     * @param value Array of DER encoded bytes of the actual value.
-     * @exception IOException on error.
-     */
-    public IssuingDistributionPointExtension(Object value)
-	    throws IOException {
-        this.extensionId = PKIXExtensions.IssuingDistributionPoint_Id;
-        this.critical = true;
-
-	if (!(value instanceof byte[])) {
-	    throw new IOException("Illegal argument type");
-	}
-	
-	extensionValue = (byte[])value;
-        DerValue val = new DerValue(extensionValue);
-	if (val.tag != DerValue.tag_Sequence) {
-	    throw new IOException("Invalid encoding for " +
-				  "IssuingDistributionPointExtension.");
-	}
-
-	if (val.data == null || val.data.available() == 0) {
-            return;
-        }
-
-        DerValue opt = val.data.getDerValue();
-
-        if (opt.isContextSpecific(TAG_DIST_PT) && opt.isConstructed()) {
-            DerValue distPnt = opt.data.getDerValue();
-            if (distPnt.isContextSpecific(TAG_FULL_NAME)
-                && distPnt.isConstructed()) {
-                distPnt.resetTag(DerValue.tag_Sequence);
-                fullName = new GeneralNames(distPnt);
-            } else if (distPnt.isContextSpecific(TAG_REL_NAME) 
-                       && distPnt.isConstructed()) {
-                distPnt.resetTag(DerValue.tag_Set);
-                
-                relativeName = new RDN(derValueToAVAs(distPnt));
-            } else {
-                throw new IOException("Invalid encoding for " +
-                                      "IssuingDistributionPointExtension.");
-            }
-
-
-            if (val.data.available() == 0) {
-                return;
-            }
-            opt = val.data.getDerValue();
-        }
-
-
-        if (opt.isContextSpecific(TAG_ONLY_USER_CERTS)) {
-            opt.resetTag(DerValue.tag_Boolean);
-            onlyContainsUserCerts = opt.getBoolean();
-
-            if (val.data.available() == 0) {
-                return;
-            }
-            opt = val.data.getDerValue();
-
-        }
-
-        if (opt.isContextSpecific(TAG_ONLY_CA_CERTS)) {
-            opt.resetTag(DerValue.tag_Boolean);
-            onlyContainsCACerts = opt.getBoolean();
-
-            if (onlyContainsUserCerts && onlyContainsCACerts) {
-                throw new IOException("onlyContainsUserCerts and " +
-                                      "onlyContainsCACerts can't both be true");
-            }
-
-            if (val.data.available() == 0) {
-                return;
-            }
-            opt = val.data.getDerValue();
-        }
-
-        if (opt.isContextSpecific(TAG_REASONS) && !opt.isConstructed()) {
-            opt.resetTag(DerValue.tag_BitString);
-            reasonFlags = (opt.getUnalignedBitString()).toBooleanArray();
-
-            if (val.data.available() == 0) {
-                return;
-            }
-            opt = val.data.getDerValue();
-        }
-
-        if (opt.isContextSpecific(TAG_INDIRECT_CRL)) {
-            opt.resetTag(DerValue.tag_Boolean);
-            indirectCRL = opt.getBoolean();
-
-            if (val.data.available() == 0) {
-                return;
-            }
-        }
-
-        throw new IOException("Invalid encoding for " +
-                              "IssuingDistributionPointExtension.");
-    }
-
-    /**
-     * Return the name of this attribute.
-     */
-    public String getName() {
-        return NAME;
-    }
-
-    /**
-     * Return the full distribution point name or null if not set.
-     */
-    public GeneralNames getFullName() {
-	return fullName;
-    }
-    
-    /**
-     * Return the relative distribution point name or null if not set.
-     */
-    public RDN getRelativeName() {
-	return relativeName;
-    }
-    
-    /**
-     * Return the onlyContainsUserCerts attribute
-     */
-    public boolean getOnlyContainsUserCerts() {
-	return onlyContainsUserCerts;
-    }
-
-    /**
-     * Return the onlyContainsCACerts attribute
-     */
-    public boolean getOnlyContainsCACerts() {
-	return onlyContainsCACerts;
-    }
-
-    /**
-     * Return the reason flags or null if not set.
-     */
-    public boolean[] getOnlySomeReasons() {
-	return reasonFlags;
-    }
-    
-    /**
-     * Return the indirectCRL attribute
-     */
-    public boolean getIndirectCRL() {
-	return indirectCRL;
-    }
-
-
-    /**
-     * Sets the full distribution point name.
-     */
-    public void setFullName(GeneralNames fullName) {
-        this.fullName = fullName;
-        if( fullName != null ) {
-            this.relativeName = null;
-        }
-    }
-
-    /**
-     * Sets the relative distribution point name.
-     */
-    public void setRelativeName(RDN relativeName) {
-        this.relativeName = relativeName;
-        if( relativeName != null ) {
-            this.fullName = null;
-        }
-    }
-
-    /**
-     * Sets the onlyContainsUserCerts attribute.
-     */
-    public void setOnlyContainsUserCerts(boolean onlyContainsUserCerts) {
-        this.onlyContainsUserCerts = onlyContainsUserCerts;
-    }
-
-    /**
-     * Sets the onlyContainsCACerts attribute.
-     */
-    public void setOnlyContainsCACerts(boolean onlyContainsCACerts) {
-        this.onlyContainsCACerts = onlyContainsCACerts;
-    }
-
-    /**
-     * Sets the reason flags for this distribution point.
-     */
-    public void setOnlySomeReasons(boolean[] reasonFlags) {
-        this.reasonFlags = reasonFlags;
-    }
-
-    /**
-     * Sets the indirectCRL attribute.
-     */
-    public void setIndirectCRL(boolean indirectCRL) {
-        this.indirectCRL = indirectCRL;
-    }
-
-    /**
-     * Write the extension to the DerOutputStream.
-     *
-     * @param out the DerOutputStream to write the extension to.
-     * @exception IOException on encoding errors.
-     */
-    public void encode(OutputStream out) throws IOException {
-        DerOutputStream tmp = new DerOutputStream();
-        if (this.extensionValue == null) {
-            this.extensionId = PKIXExtensions.IssuingDistributionPoint_Id;
-            this.critical = true;
-            encodeThis();
-        }
-        super.encode(tmp);
-        out.write(tmp.toByteArray());
-    }
-
-     // Encode this extension value
-    private void encodeThis() throws IOException {
-
-        if (onlyContainsUserCerts && onlyContainsCACerts) {
-            throw new IOException("onlyContainsUserCerts and " +
-                                  "onlyContainsCACerts can't both be true");
-        }
-
- 	DerOutputStream tagged = new DerOutputStream();
-
-        // NOTE: only one of pointNames and pointRDN can be set
-        if ((fullName != null) || (relativeName != null)) {
-            DerOutputStream distributionPoint = new DerOutputStream();
-            if (fullName != null) {
-                DerOutputStream derOut = new DerOutputStream();
-                fullName.encode(derOut);
-                distributionPoint.writeImplicit(
-                    DerValue.createTag(DerValue.TAG_CONTEXT, true, TAG_FULL_NAME),
-                    derOut);
-            } else if (relativeName != null) {
-                DerOutputStream derOut = new DerOutputStream();
-                encodeRDN(relativeName, derOut);
-                distributionPoint.writeImplicit(
-                    DerValue.createTag(DerValue.TAG_CONTEXT, true, TAG_REL_NAME),
-                    derOut);
-            }
-            tagged.write(
-                DerValue.createTag(DerValue.TAG_CONTEXT, true, TAG_DIST_PT),
-                distributionPoint);
-        }
-
-        if (onlyContainsUserCerts) {
-            DerOutputStream doOnlyContainsUserCerts = new DerOutputStream();
-            doOnlyContainsUserCerts.putBoolean(onlyContainsUserCerts);
-            tagged.writeImplicit(DerValue.createTag(DerValue.TAG_CONTEXT, false,
-                                                    TAG_ONLY_USER_CERTS),
-                                 doOnlyContainsUserCerts);
-        }
-
-        if (onlyContainsCACerts) {
-            DerOutputStream doOnlyContainsCACerts = new DerOutputStream();
-            doOnlyContainsCACerts.putBoolean(onlyContainsCACerts);
-            tagged.writeImplicit(DerValue.createTag(DerValue.TAG_CONTEXT, false,
-                                                    TAG_ONLY_CA_CERTS),
-                                 doOnlyContainsCACerts);
-        }
-        if (reasonFlags != null) {
-	    DerOutputStream reasons = new DerOutputStream();
-	    BitArray rf = new BitArray(reasonFlags);
-            reasons.putUnalignedBitString(rf);
-	    tagged.writeImplicit(
-	    	DerValue.createTag(DerValue.TAG_CONTEXT, false, TAG_REASONS), 
-		reasons);
-	}
-
-        if (indirectCRL) {
-            DerOutputStream doIndirectCRL = new DerOutputStream();
-            doIndirectCRL.putBoolean(indirectCRL);
-            tagged.writeImplicit(DerValue.createTag(DerValue.TAG_CONTEXT, false,
-                                                    TAG_INDIRECT_CRL),
-                                 doIndirectCRL);
-        }
-        this.extensionValue = tagged.toByteArray();
-    }
-
-    /**
-     * Return a string representation for reasonFlag bit 'reason'.
-     */
-    private static String reasonToString(int reason) {
-	if ((reason > 0) && (reason < REASON_STRINGS.length)) {
-	    return REASON_STRINGS[reason];
-	}
-	return "Unknown reason " + reason;
-    }
-
-    /**
-     * Return the extension as user readable string.
-     */
-    public String toString() {
-	StringBuffer sb = new StringBuffer();
-        sb.append(super.toString() + "IssuingDistributionPoint [\n  ");
-        if (fullName != null) {
-	    sb.append("    fullName:\n    " + fullName + "\n");
-	}
-        if (relativeName != null) {
-            sb.append("    relativeName:\n     " + relativeName + "\n");
-	}
-
-        sb.append("    onlyContainsUserCerts:\n     " +
-                  onlyContainsUserCerts + "\n");
-
-        sb.append("    onlyContainsCACerts:\n     " +
-                  onlyContainsCACerts + "\n");
-
-	if (reasonFlags != null) {
-	    sb.append("   ReasonFlags:\n");
-	    for (int i = 0; i < reasonFlags.length; i++) {
-		if (reasonFlags[i]) {
-		    sb.append("    " + reasonToString(i) + "\n");
-		}
-	    }
-	}
-
-        sb.append("    indirectCRL:\n     " +
-                  indirectCRL + "\n");
-
-
-	return sb.toString();
-    }
-
-    private static AVA[] derValueToAVAs(DerValue derValue)
-        throws IOException {
-
-        DerInputStream dis = new DerInputStream(derValue.toByteArray());
-        DerValue[] avaset = dis.getSet(5);
-
-        AVA[] avas = new AVA[avaset.length];
-        for (int i = 0; i < avaset.length; i++) {
-            DerValue derval = avaset[i];
-            avas[i] = new AVA(derval.data.getOID(), derval.data.getDerValue());
-        }
-
-        return avas;
-    }
-
-    private static void encodeRDN(RDN rdn, DerOutputStream derOut)
-        throws IOException {
-
-        List avas = rdn.avas();
-        AVA[] avaArray = (AVA[])avas.toArray(new AVA[avas.size()]);
-        derOut.putOrderedSetOf(DerValue.tag_Set, avaArray);
-    }
-}