L’exemple qui le fait avec X509v3CertificateBuilder :
http://gitblit.googlecode.com/git-history/88598bb2f779b73479512d818c675dea8fa72138/src/com/gitblit/MakeCertificate.java
KeyPairGenerator kpGen = KeyPairGenerator.getInstance("RSA", "BC");
kpGen.initialize(1024, new SecureRandom());
KeyPair pair = kpGen.generateKeyPair();

// Generate self-signed certificate
X500NameBuilder builder = new X500NameBuilder(BCStyle.INSTANCE);
builder.addRDN(BCStyle.OU, Constants.NAME);
builder.addRDN(BCStyle.O, Constants.NAME);
builder.addRDN(BCStyle.CN, hostname);

Date notBefore = new Date(System.currentTimeMillis() - TimeUtils.ONEDAY);
Date notAfter = new Date(System.currentTimeMillis() + 10 * TimeUtils.ONEYEAR);
BigInteger serial = BigInteger.valueOf(System.currentTimeMillis());

X509v3CertificateBuilder certGen = new JcaX509v3CertificateBuilder(builder.build(),
serial, notBefore, notAfter, builder.build(), pair.getPublic());
ContentSigner sigGen = new JcaContentSignerBuilder("SHA256WithRSAEncryption")
.setProvider(BC).build(pair.getPrivate());
certGen.build(sigGen);

Le résultat dans un X509CertificateHolder