diff --git a/pom.xml b/pom.xml
index eb455c07..194a85b5 100644
--- a/pom.xml
+++ b/pom.xml
@@ -138,8 +138,8 @@
 			</dependency>
 			<dependency>
 				<groupId>org.bouncycastle</groupId>
-				<artifactId>bcprov-jdk16</artifactId>
-				<version>1.46</version>
+				<artifactId>bcprov-jdk15on</artifactId>
+				<version>1.49</version>
 			</dependency>
 			<dependency>
 				<groupId>commons-io</groupId>
diff --git a/ssl-proxies/pom.xml b/ssl-proxies/pom.xml
index dd4ebe75..f9701d51 100644
--- a/ssl-proxies/pom.xml
+++ b/ssl-proxies/pom.xml
@@ -41,7 +41,7 @@
 		</dependency>
 		<dependency>
 			<groupId>org.bouncycastle</groupId>
-			<artifactId>bcprov-jdk16</artifactId>
+			<artifactId>bcprov-jdk15on</artifactId>
 		</dependency>
 		<dependency>
 			<groupId>commons-io</groupId>
diff --git a/ssl-proxies/src/main/java/org/globus/gsi/bc/BouncyCastleCertProcessingFactory.java b/ssl-proxies/src/main/java/org/globus/gsi/bc/BouncyCastleCertProcessingFactory.java
index c1e5ce56..c7f6c3c4 100644
--- a/ssl-proxies/src/main/java/org/globus/gsi/bc/BouncyCastleCertProcessingFactory.java
+++ b/ssl-proxies/src/main/java/org/globus/gsi/bc/BouncyCastleCertProcessingFactory.java
@@ -14,6 +14,7 @@
  */
 package org.globus.gsi.bc;
 
+import org.bouncycastle.asn1.x500.style.BCStyle;
 import org.globus.gsi.util.CertificateLoadUtil;
 import org.globus.gsi.util.ProxyCertificateUtil;
 
@@ -48,13 +49,13 @@
 import org.bouncycastle.jce.PKCS10CertificationRequest;
 import org.bouncycastle.jce.provider.X509CertificateObject;
 import org.bouncycastle.asn1.DERSet;
-import org.bouncycastle.asn1.DERObject;
 import org.bouncycastle.asn1.DERBitString;
 import org.bouncycastle.asn1.x509.X509Name;
+import org.bouncycastle.asn1.ASN1Primitive;
 import org.bouncycastle.asn1.ASN1InputStream;
 import org.bouncycastle.asn1.ASN1Sequence;
+import org.bouncycastle.asn1.x509.Certificate;
 import org.bouncycastle.asn1.x509.TBSCertificateStructure;
-import org.bouncycastle.asn1.x509.X509CertificateStructure;
 import org.bouncycastle.asn1.x509.X509Extensions;
 import org.bouncycastle.asn1.x509.X509Extension;
 import org.bouncycastle.asn1.x509.KeyUsage;
@@ -149,7 +150,7 @@ public X509Certificate createCertificate(InputStream certRequestInputStream, X50
         throws IOException, GeneralSecurityException {
 
         ASN1InputStream derin = new ASN1InputStream(certRequestInputStream);
-        DERObject reqInfo = derin.readObject();
+        ASN1Primitive reqInfo = derin.readObject();
         PKCS10CertificationRequest certReq = new PKCS10CertificationRequest((ASN1Sequence) reqInfo);
 
         boolean rs = certReq.verify();
@@ -413,11 +414,11 @@ public X509Certificate createProxyCertificate(X509Certificate issuerCert_, Priva
                     X509Extension ext;
 
                     // handle key usage ext
-                    ext = extensions.getExtension(X509Extensions.KeyUsage);
+                    ext = extensions.getExtension(X509Extension.keyUsage);
                     if (ext != null) {
 
                         // TBD: handle this better
-                        if (extSet != null && (extSet.get(X509Extensions.KeyUsage.getId()) != null)) {
+                        if (extSet != null && (extSet.get(X509Extension.keyUsage.getId()) != null)) {
                             String err = i18n.getMessage("keyUsageExt");
                             throw new GeneralSecurityException(err);
                         }
@@ -437,7 +438,7 @@ public X509Certificate createProxyCertificate(X509Certificate issuerCert_, Priva
 
                         bits = new DERBitString(bytes, bits.getPadBits());
 
-                        certGen.addExtension(X509Extensions.KeyUsage, ext.isCritical(), bits);
+                        certGen.addExtension(X509Extension.keyUsage, ext.isCritical(), bits);
                     }
                 }
 
@@ -481,7 +482,7 @@ public X509Certificate createProxyCertificate(X509Certificate issuerCert_, Priva
         X509NameHelper issuer = new X509NameHelper(issuerDN);
 
         X509NameHelper subject = new X509NameHelper(issuerDN);
-        subject.add(X509Name.CN, (cnValue == null) ? delegDN : cnValue);
+        subject.add(BCStyle.CN, (cnValue == null) ? delegDN : cnValue);
 
         certGen.setSubjectDN(subject.getAsName());
         certGen.setIssuerDN(issuer.getAsName());
@@ -572,7 +573,7 @@ public X509Certificate createCertificate(InputStream certRequestInputStream, X50
         String cnValue) throws IOException, GeneralSecurityException {
 
         ASN1InputStream derin = new ASN1InputStream(certRequestInputStream);
-        DERObject reqInfo = derin.readObject();
+        ASN1Primitive reqInfo = derin.readObject();
         PKCS10CertificationRequest certReq = new PKCS10CertificationRequest((ASN1Sequence) reqInfo);
 
         boolean rs = certReq.verify();
@@ -817,11 +818,11 @@ public X509Certificate createProxyCertificate(X509Certificate issuerCert_, Priva
                     X509Extension ext;
 
                     // handle key usage ext
-                    ext = extensions.getExtension(X509Extensions.KeyUsage);
+                    ext = extensions.getExtension(X509Extension.keyUsage);
                     if (ext != null) {
 
                         // TBD: handle this better
-                        if (extSet != null && (extSet.get(X509Extensions.KeyUsage.getId()) != null)) {
+                        if (extSet != null && (extSet.get(X509Extension.keyUsage.getId()) != null)) {
                             String err = i18n.getMessage("keyUsageExt");
                             throw new GeneralSecurityException(err);
                         }
@@ -841,7 +842,7 @@ public X509Certificate createProxyCertificate(X509Certificate issuerCert_, Priva
 
                         bits = new DERBitString(bytes, bits.getPadBits());
 
-                        certGen.addExtension(X509Extensions.KeyUsage, ext.isCritical(), bits);
+                        certGen.addExtension(X509Extension.keyUsage, ext.isCritical(), bits);
                     }
                 }
 
@@ -883,7 +884,7 @@ public X509Certificate createProxyCertificate(X509Certificate issuerCert_, Priva
         }
         X509NameHelper issuer = new X509NameHelper(issuerDN);
         X509NameHelper subject = new X509NameHelper(issuerDN);
-        subject.add(X509Name.CN, (cnValue == null) ? delegDN : cnValue);
+        subject.add(BCStyle.CN, (cnValue == null) ? delegDN : cnValue);
 
         certGen.setSubjectDN(subject.getAsName());
         certGen.setIssuerDN(issuer.getAsName());
@@ -922,9 +923,9 @@ public X509Certificate createProxyCertificate(X509Certificate issuerCert_, Priva
      */
     public X509Certificate loadCertificate(InputStream in) throws IOException, GeneralSecurityException {
         ASN1InputStream derin = new ASN1InputStream(in);
-        DERObject certInfo = derin.readObject();
+        ASN1Primitive certInfo = derin.readObject();
         ASN1Sequence seq = ASN1Sequence.getInstance(certInfo);
-        return new X509CertificateObject(new X509CertificateStructure(seq));
+        return new X509CertificateObject(Certificate.getInstance(seq));
     }
 
     /**
diff --git a/ssl-proxies/src/main/java/org/globus/gsi/bc/BouncyCastleOpenSSLKey.java b/ssl-proxies/src/main/java/org/globus/gsi/bc/BouncyCastleOpenSSLKey.java
index 3786d063..0f666e1a 100644
--- a/ssl-proxies/src/main/java/org/globus/gsi/bc/BouncyCastleOpenSSLKey.java
+++ b/ssl-proxies/src/main/java/org/globus/gsi/bc/BouncyCastleOpenSSLKey.java
@@ -28,8 +28,8 @@
 import java.security.interfaces.RSAPrivateCrtKey;
 import java.security.spec.PKCS8EncodedKeySpec;
 import org.bouncycastle.asn1.ASN1InputStream;
+import org.bouncycastle.asn1.ASN1Primitive;
 import org.bouncycastle.asn1.ASN1Sequence;
-import org.bouncycastle.asn1.DERObject;
 import org.bouncycastle.asn1.DERObjectIdentifier;
 import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
 import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
@@ -121,12 +121,12 @@ protected PrivateKey getKey(String alg, byte[] data)
 				}
 				ByteArrayInputStream bis = new ByteArrayInputStream(data);
 				ASN1InputStream derin = new ASN1InputStream(bis);
-				DERObject keyInfo = derin.readObject();
+				ASN1Primitive keyInfo = derin.readObject();
 
 				DERObjectIdentifier rsaOid = PKCSObjectIdentifiers.rsaEncryption;
 				AlgorithmIdentifier rsa = new AlgorithmIdentifier(rsaOid);
 				PrivateKeyInfo pkeyinfo = new PrivateKeyInfo(rsa, keyInfo);
-				DERObject derkey = pkeyinfo.getDERObject();
+				ASN1Primitive derkey = pkeyinfo.toASN1Primitive();
 				byte[] keyData = BouncyCastleUtil.toByteArray(derkey);
 				// The DER object needs to be mangled to
 				// create a proper ProvateKeyInfo object
@@ -150,10 +150,10 @@ protected byte[] getEncoded(PrivateKey key) {
 				&& (format.equalsIgnoreCase("PKCS#8") || format
 						.equalsIgnoreCase("PKCS8"))) {
 			try {
-				DERObject keyInfo = BouncyCastleUtil.toDERObject(key
+				ASN1Primitive keyInfo = BouncyCastleUtil.toASN1Primitive(key
 						.getEncoded());
 				PrivateKeyInfo pkey = new PrivateKeyInfo((ASN1Sequence) keyInfo);
-				DERObject derKey = pkey.getPrivateKey();
+				ASN1Primitive derKey = pkey.getPrivateKey();
 				return BouncyCastleUtil.toByteArray(derKey);
 			} catch (IOException e) {
 				// that should never happen
@@ -169,7 +169,7 @@ protected byte[] getEncoded(PrivateKey key) {
 					.getPrivateExponent(), pKey.getPrimeP(), pKey.getPrimeQ(),
 					pKey.getPrimeExponentP(), pKey.getPrimeExponentQ(), pKey
 							.getCrtCoefficient());
-			DERObject ob = st.getDERObject();
+			ASN1Primitive ob = st.toASN1Primitive();
 
 			try {
 				return BouncyCastleUtil.toByteArray(ob);
diff --git a/ssl-proxies/src/main/java/org/globus/gsi/bc/BouncyCastleUtil.java b/ssl-proxies/src/main/java/org/globus/gsi/bc/BouncyCastleUtil.java
index 5b1ef4db..9de4d93c 100644
--- a/ssl-proxies/src/main/java/org/globus/gsi/bc/BouncyCastleUtil.java
+++ b/ssl-proxies/src/main/java/org/globus/gsi/bc/BouncyCastleUtil.java
@@ -30,16 +30,15 @@
 
 import org.bouncycastle.asn1.ASN1InputStream;
 import org.bouncycastle.asn1.ASN1OctetString;
+import org.bouncycastle.asn1.ASN1Primitive;
 import org.bouncycastle.asn1.ASN1Sequence;
 import org.bouncycastle.asn1.ASN1Set;
+import org.bouncycastle.asn1.ASN1String;
 import org.bouncycastle.asn1.DERBitString;
-import org.bouncycastle.asn1.DERBoolean;
-import org.bouncycastle.asn1.DEREncodable;
-import org.bouncycastle.asn1.DERInteger;
-import org.bouncycastle.asn1.DERObject;
 import org.bouncycastle.asn1.DERObjectIdentifier;
 import org.bouncycastle.asn1.DEROutputStream;
-import org.bouncycastle.asn1.DERString;
+import org.bouncycastle.asn1.x500.X500Name;
+import org.bouncycastle.asn1.x500.style.BCStyle;
 import org.bouncycastle.asn1.x509.BasicConstraints;
 import org.bouncycastle.asn1.x509.TBSCertificateStructure;
 import org.bouncycastle.asn1.x509.X509Extension;
@@ -76,7 +75,7 @@ public class BouncyCastleUtil {
      * @return the DER-encoded byte array
      * @exception IOException if conversion fails
      */
-    public static byte[] toByteArray(DERObject obj) 
+    public static byte[] toByteArray(ASN1Primitive obj) 
 	throws IOException {
 	ByteArrayOutputStream bout = new ByteArrayOutputStream();
 	DEROutputStream der = new DEROutputStream(bout);
@@ -92,7 +91,7 @@ public static byte[] toByteArray(DERObject obj)
      * @return the DERObject.
      * @exception IOException if conversion fails
      */
-    public static DERObject toDERObject(byte[] data) 
+    public static ASN1Primitive toASN1Primitive(byte[] data) 
 	throws IOException {
         ByteArrayInputStream inStream = new ByteArrayInputStream(data);
         ASN1InputStream derInputStream = new ASN1InputStream(inStream);
@@ -108,9 +107,9 @@ public static DERObject toDERObject(byte[] data)
      * @return a copy of the DERObject.
      * @exception IOException if replication fails
      */
-    public static DERObject duplicate(DERObject obj) 
+    public static ASN1Primitive duplicate(ASN1Primitive obj) 
 	throws IOException {
-	return toDERObject(toByteArray(obj));
+	return toASN1Primitive(toByteArray(obj));
     }
 
     /**
@@ -123,7 +122,7 @@ public static DERObject duplicate(DERObject obj)
      */
     public static TBSCertificateStructure getTBSCertificateStructure(X509Certificate cert)
 	throws CertificateEncodingException, IOException {
-	DERObject obj = BouncyCastleUtil.toDERObject(cert.getTBSCertificate());
+	ASN1Primitive obj = BouncyCastleUtil.toASN1Primitive(cert.getTBSCertificate());
 	return TBSCertificateStructure.getInstance(obj);
     }
 
@@ -133,9 +132,9 @@ public static TBSCertificateStructure getTBSCertificateStructure(X509Certificate
      * @param ext the certificate extension to extract the value from.
      * @exception IOException if extraction fails.
      */
-    public static DERObject getExtensionObject(X509Extension ext) 
+    public static ASN1Primitive getExtensionObject(X509Extension ext) 
 	throws IOException {
-	return toDERObject(ext.getValue().getOctets());
+	return toASN1Primitive(ext.getValue().getOctets());
     }
 
     /**
@@ -295,9 +294,9 @@ private static GSIConstants.CertificateType getCertificateType(TBSCertificateStr
 	X509Extension ext = null;
 
 	if (extensions != null) {
-	    ext = extensions.getExtension(X509Extensions.BasicConstraints);
+	    ext = extensions.getExtension(X509Extension.basicConstraints);
 	    if (ext != null) {
-		BasicConstraints basicExt = getBasicConstraints(ext);
+		BasicConstraints basicExt = BasicConstraints.getInstance(ext);
 		if (basicExt.isCA()) {
 		    return GSIConstants.CertificateType.CA;
 		}
@@ -307,12 +306,12 @@ private static GSIConstants.CertificateType getCertificateType(TBSCertificateStr
 	GSIConstants.CertificateType type = GSIConstants.CertificateType.EEC;
 	
 	// does not handle multiple AVAs
-	X509Name subject = crt.getSubject();
+	X500Name subject = crt.getSubject();
 
 	ASN1Set entry = X509NameHelper.getLastNameEntry(subject);
 	ASN1Sequence ava = (ASN1Sequence)entry.getObjectAt(0);
-	if (X509Name.CN.equals(ava.getObjectAt(0))) {
-	    String value = ((DERString)ava.getObjectAt(1)).getString();
+	if (BCStyle.CN.equals(ava.getObjectAt(0))) {
+	    String value = ((ASN1String)ava.getObjectAt(1)).getString();
 	    if (value.equalsIgnoreCase("proxy")) {
 		type = GSIConstants.CertificateType.GSI_2_PROXY;
 	    } else if (value.equalsIgnoreCase("limited proxy")) {
@@ -370,7 +369,7 @@ private static GSIConstants.CertificateType getCertificateType(TBSCertificateStr
 		X509NameHelper iss = new X509NameHelper(crt.getIssuer());
 		iss.add((ASN1Set)BouncyCastleUtil.duplicate(entry));
 		X509Name issuer = iss.getAsName();
-		if (!issuer.equals(subject)) {
+		if (!issuer.equals(X509Name.getInstance(subject))) {
                     String err = i18n.getMessage("proxyDNErr");
 		    throw new CertificateException(err);
 		}
@@ -403,36 +402,6 @@ public static boolean[] getKeyUsage(X509Extension ext)
 	return keyUsage;
     }
 
-    /**
-     * Creates a <code>BasicConstraints</code> object from given
-     * extension.
-     *
-     * @param ext the extension.
-     * @return the <code>BasicConstraints</code> object.
-     * @exception IOException if something fails.
-     */
-    public static BasicConstraints getBasicConstraints(X509Extension ext) 
-	throws IOException {
-	DERObject obj = BouncyCastleUtil.getExtensionObject(ext);
-	if (obj instanceof ASN1Sequence) {
-	    ASN1Sequence seq = (ASN1Sequence)obj;
-	    int size = seq.size();
-	    if (size == 0) {
-		return new BasicConstraints(false);
-	    } else if (size == 1) {
-		DEREncodable value = seq.getObjectAt(0);
-		if (value instanceof DERInteger) {
-		    int length = ((DERInteger)value).getValue().intValue();
-		    return new BasicConstraints(false, length);
-		} else if (value instanceof DERBoolean) {
-		    boolean ca = ((DERBoolean)value).isTrue();
-		    return new BasicConstraints(ca);
-		}
-	    } 
-	}
-	return BasicConstraints.getInstance(obj);
-    }
-    
     /**
      * Creates a <code>ProxyCertInfo</code> object from given
      * extension.
@@ -531,7 +500,7 @@ public static byte[] getExtensionValue(byte [] certExtValue)
 	throws IOException {
 	ByteArrayInputStream inStream = new ByteArrayInputStream(certExtValue);
 	ASN1InputStream derInputStream = new ASN1InputStream(inStream);
-	DERObject object = derInputStream.readObject();
+        ASN1Primitive object = derInputStream.readObject();
 	if (object instanceof ASN1OctetString) {
 	    return ((ASN1OctetString)object).getOctets();
 	} else {
diff --git a/ssl-proxies/src/main/java/org/globus/gsi/bc/BouncyCastleX509Extension.java b/ssl-proxies/src/main/java/org/globus/gsi/bc/BouncyCastleX509Extension.java
index 9d67a072..ab8b1900 100644
--- a/ssl-proxies/src/main/java/org/globus/gsi/bc/BouncyCastleX509Extension.java
+++ b/ssl-proxies/src/main/java/org/globus/gsi/bc/BouncyCastleX509Extension.java
@@ -16,7 +16,7 @@
 
 import java.io.IOException;
 
-import org.bouncycastle.asn1.DEREncodable;
+import org.bouncycastle.asn1.ASN1Encodable;
 
 import org.globus.gsi.X509Extension;
 
@@ -36,22 +36,22 @@ public BouncyCastleX509Extension(String oid) {
 	this(oid, false, null);
     }
     
-    public BouncyCastleX509Extension(String oid, DEREncodable value) {
+    public BouncyCastleX509Extension(String oid, ASN1Encodable value) {
 	this(oid, false, value);
     }
     
     public BouncyCastleX509Extension(String oid, boolean critical, 
-				     DEREncodable value) {
+				     ASN1Encodable value) {
 	super(oid, critical, null);
 	setValue(value);
     }
     
-    protected void setValue(DEREncodable value) {
+    protected void setValue(ASN1Encodable value) {
 	if (value == null) {
 	    return;
 	}
     	try {
-	    setValue(BouncyCastleUtil.toByteArray(value.getDERObject()));
+	    setValue(BouncyCastleUtil.toByteArray(value.toASN1Primitive()));
 	} catch (IOException e) {
 	    throw new RuntimeException(i18n.getMessage("byteArrayErr") +
 				       e.getMessage());
diff --git a/ssl-proxies/src/main/java/org/globus/gsi/bc/X509NameHelper.java b/ssl-proxies/src/main/java/org/globus/gsi/bc/X509NameHelper.java
index b21a3eb8..f85c3a6f 100644
--- a/ssl-proxies/src/main/java/org/globus/gsi/bc/X509NameHelper.java
+++ b/ssl-proxies/src/main/java/org/globus/gsi/bc/X509NameHelper.java
@@ -21,11 +21,13 @@
 import org.bouncycastle.asn1.ASN1EncodableVector;
 import org.bouncycastle.asn1.ASN1Sequence;
 import org.bouncycastle.asn1.ASN1Set;
+import org.bouncycastle.asn1.ASN1String;
 import org.bouncycastle.asn1.DERObjectIdentifier;
 import org.bouncycastle.asn1.DERPrintableString;
 import org.bouncycastle.asn1.DERSequence;
 import org.bouncycastle.asn1.DERSet;
-import org.bouncycastle.asn1.DERString;
+import org.bouncycastle.asn1.x500.RDN;
+import org.bouncycastle.asn1.x500.X500Name;
 import org.bouncycastle.asn1.x509.X509Name;
 
 /**
@@ -44,6 +46,21 @@ public X509NameHelper(ASN1Sequence seq) {
         this.seq = seq;
     }
 
+    /**
+     * Creates an instance using existing {@link X500Name X500Name} 
+     * object. 
+     * This behaves like a copy constructor.
+     *
+     * @param name existing <code>X500Name</code> 
+     */
+    public X509NameHelper(X500Name name) {
+        try {
+            this.seq = (ASN1Sequence)BouncyCastleUtil.duplicate(name.toASN1Primitive());
+        } catch (IOException e) {
+            throw new RuntimeException(e.getMessage());
+        }
+    }
+
     /**
      * Creates an instance using existing {@link X509Name X509Name} 
      * object. 
@@ -53,7 +70,7 @@ public X509NameHelper(ASN1Sequence seq) {
      */
     public X509NameHelper(X509Name name) {
         try {
-            this.seq = (ASN1Sequence)BouncyCastleUtil.duplicate(name.getDERObject());
+            this.seq = (ASN1Sequence)BouncyCastleUtil.duplicate(name.toASN1Primitive());
         } catch (IOException e) {
             throw new RuntimeException(e.getMessage());
         }
@@ -72,8 +89,8 @@ public X509Name getAsName() {
      * Appends the specified OID and value pair name component to the end of the
      * current name.
      *
-     * @param oid   the name component oid, e.g. {@link X509Name#CN
-     *              X509Name.CN}
+     * @param oid   the name component oid, e.g. {@link org.bouncycastle.asn1.x500.style.BCStyle#CN
+     *              BCStyle.CN}
      * @param value the value (e.g. "proxy")
      */
     public void add(
@@ -125,10 +142,10 @@ public ASN1Set getLastNameEntry() {
      *
      * @return the last name component. Null if there is none.
      */
-    public static ASN1Set getLastNameEntry(X509Name name) {
-        ASN1Sequence seq = (ASN1Sequence) name.getDERObject();
-        int size = seq.size();
-        return (size > 0) ? (ASN1Set) seq.getObjectAt(size - 1) : null;
+    public static ASN1Set getLastNameEntry(X500Name name) {
+        RDN[] rdns = name.getRDNs();
+        int size = rdns.length;
+        return (size > 0) ? (ASN1Set) rdns[size - 1].toASN1Primitive() : null;
     }
 
     /**
@@ -142,7 +159,7 @@ public static String toString(X509Name name) {
         if (name == null) {
             return null;
         }
-        return toString((ASN1Sequence)name.getDERObject());
+        return toString((ASN1Sequence)name.toASN1Primitive());
     }
 
     private static String toString(ASN1Sequence seq) {
@@ -159,14 +176,14 @@ private static String toString(ASN1Sequence seq) {
             while (ee.hasMoreElements()) {
                 ASN1Sequence s = (ASN1Sequence)ee.nextElement();
                 DERObjectIdentifier oid = (DERObjectIdentifier)s.getObjectAt(0);
-                String sym = (String)X509Name.OIDLookUp.get(oid);
+                String sym = (String)X509Name.DefaultSymbols.get(oid);
                 if (sym == null) {
                     buf.append(oid.getId());
                 } else {
                     buf.append(sym);
                 }
                 buf.append('=');
-                buf.append(((DERString)s.getObjectAt(1)).getString());
+                buf.append(((ASN1String)s.getObjectAt(1)).getString());
                 if (ee.hasMoreElements()) {
                     buf.append('+');
                 }
diff --git a/ssl-proxies/src/main/java/org/globus/gsi/proxy/ext/ProxyCertInfo.java b/ssl-proxies/src/main/java/org/globus/gsi/proxy/ext/ProxyCertInfo.java
index cd7c0bdd..409eb43c 100644
--- a/ssl-proxies/src/main/java/org/globus/gsi/proxy/ext/ProxyCertInfo.java
+++ b/ssl-proxies/src/main/java/org/globus/gsi/proxy/ext/ProxyCertInfo.java
@@ -20,11 +20,11 @@
 
 import java.io.IOException;
 
+import org.bouncycastle.asn1.ASN1Encodable;
 import org.bouncycastle.asn1.ASN1EncodableVector;
+import org.bouncycastle.asn1.ASN1Primitive;
 import org.bouncycastle.asn1.ASN1Sequence;
-import org.bouncycastle.asn1.DEREncodable;
 import org.bouncycastle.asn1.DERInteger;
-import org.bouncycastle.asn1.DERObject;
 import org.bouncycastle.asn1.DERSequence;
 
 /**
@@ -34,7 +34,7 @@
  * ProxyCertInfo ::= SEQUENCE { pCPathLenConstraint      INTEGER (0..MAX) OPTIONAL, proxyPolicy ProxyPolicy }
  * </PRE>
  */
-public class ProxyCertInfo implements DEREncodable {
+public class ProxyCertInfo implements ASN1Encodable {
 
     /** ProxyCertInfo extension OID */
     public static final DERObjectIdentifier OID 
@@ -111,9 +111,9 @@ public static ProxyCertInfo getInstance(Object obj) {
         } else if (obj instanceof ASN1Sequence) {
             return new ProxyCertInfo((ASN1Sequence) obj);
         } else if (obj instanceof byte[]) {
-            DERObject derObj;
+            ASN1Primitive derObj;
             try {
-                derObj = CertificateUtil.toDERObject((byte[]) obj);
+                derObj = CertificateUtil.toASN1Primitive((byte[]) obj);
             } catch (IOException e) {
                 throw new IllegalArgumentException(e.getMessage(), e);
             }
@@ -129,14 +129,14 @@ public static ProxyCertInfo getInstance(Object obj) {
      *
      * @return <code>DERObject</code> the encoded representation of the extension.
      */
-    public DERObject getDERObject() {
+    public ASN1Primitive toASN1Primitive() {
         ASN1EncodableVector vec = new ASN1EncodableVector();
 
         if (this.pathLenConstraint != null) {
             vec.add(this.pathLenConstraint);
         }
 
-        vec.add(this.proxyPolicy.getDERObject());
+        vec.add(this.proxyPolicy.toASN1Primitive());
 
         return new DERSequence(vec);
     }
diff --git a/ssl-proxies/src/main/java/org/globus/gsi/proxy/ext/ProxyPolicy.java b/ssl-proxies/src/main/java/org/globus/gsi/proxy/ext/ProxyPolicy.java
index e340c258..24a298f6 100644
--- a/ssl-proxies/src/main/java/org/globus/gsi/proxy/ext/ProxyPolicy.java
+++ b/ssl-proxies/src/main/java/org/globus/gsi/proxy/ext/ProxyPolicy.java
@@ -14,10 +14,10 @@
  */
 package org.globus.gsi.proxy.ext;
 
+import org.bouncycastle.asn1.ASN1Encodable;
 import org.bouncycastle.asn1.ASN1EncodableVector;
+import org.bouncycastle.asn1.ASN1Primitive;
 import org.bouncycastle.asn1.ASN1Sequence;
-import org.bouncycastle.asn1.DEREncodable;
-import org.bouncycastle.asn1.DERObject;
 import org.bouncycastle.asn1.DERObjectIdentifier;
 import org.bouncycastle.asn1.DEROctetString;
 import org.bouncycastle.asn1.DERSequence;
@@ -27,7 +27,7 @@
  * Represents the policy part of the ProxyCertInfo extension. <BR> <PRE>
  * ProxyPolicy ::= SEQUENCE { policyLanguage    OBJECT IDENTIFIER, policy OCTET STRING OPTIONAL } </PRE>
  */
-public class ProxyPolicy implements DEREncodable {
+public class ProxyPolicy implements ASN1Encodable {
 
     /**
      * Impersonation proxy OID
@@ -58,7 +58,7 @@ public ProxyPolicy(ASN1Sequence seq) {
         }
         this.policyLanguage = (DERObjectIdentifier) seq.getObjectAt(0);
         if (seq.size() > 1) {
-            DEREncodable obj = seq.getObjectAt(1);
+            ASN1Encodable obj = seq.getObjectAt(1);
             if (obj instanceof DERTaggedObject) {
                 obj = ((DERTaggedObject) obj).getObject();
             }
@@ -133,7 +133,7 @@ public ProxyPolicy(DERObjectIdentifier policyLanguage) {
      * @return <code>DERObject</code> the encoded representation of the proxy
      *         policy.
      */
-    public DERObject getDERObject() {
+    public ASN1Primitive toASN1Primitive() {
 
         ASN1EncodableVector vec = new ASN1EncodableVector();
 
diff --git a/ssl-proxies/src/main/java/org/globus/gsi/trustmanager/X509ProxyCertPathValidator.java b/ssl-proxies/src/main/java/org/globus/gsi/trustmanager/X509ProxyCertPathValidator.java
index 7ed5a081..8f241026 100644
--- a/ssl-proxies/src/main/java/org/globus/gsi/trustmanager/X509ProxyCertPathValidator.java
+++ b/ssl-proxies/src/main/java/org/globus/gsi/trustmanager/X509ProxyCertPathValidator.java
@@ -500,12 +500,12 @@ protected void checkProxyConstraints(TBSCertificateStructure proxy, TBSCertifica
             while (e.hasMoreElements()) {
                 oid = (DERObjectIdentifier) e.nextElement();
                 proxyExtension = extensions.getExtension(oid);
-                if (oid.equals(X509Extensions.SubjectAlternativeName)
-                        || oid.equals(X509Extensions.IssuerAlternativeName)) {
+                if (oid.equals(X509Extension.subjectAlternativeName)
+                        || oid.equals(X509Extension.issuerAlternativeName)) {
                     // No Alt name extensions - 3.2 & 3.5
                     throw new CertPathValidatorException(
                             "Proxy violation: no Subject or Issuer Alternative Name");
-                } else if (oid.equals(X509Extensions.BasicConstraints)) {
+                } else if (oid.equals(X509Extension.basicConstraints)) {
                     // Basic Constraint must not be true - 3.8
                     BasicConstraints basicExt =
                             CertificateUtil.getBasicConstraints(proxyExtension);
@@ -513,7 +513,7 @@ protected void checkProxyConstraints(TBSCertificateStructure proxy, TBSCertifica
                         throw new CertPathValidatorException(
                                 "Proxy violation: Basic Constraint CA is set to true");
                     }
-                } else if (oid.equals(X509Extensions.KeyUsage)) {
+                } else if (oid.equals(X509Extension.keyUsage)) {
                     proxyKeyUsage = proxyExtension;
 
                     checkKeyUsage(issuer, proxyExtension);
@@ -543,7 +543,7 @@ private void checkKeyUsage(TBSCertificateStructure issuer, X509Extension proxyEx
     }
 
     private void checkExtension(DERObjectIdentifier oid, X509Extension proxyExtension, X509Extension proxyKeyUsage) throws CertPathValidatorException {
-        if (oid.equals(X509Extensions.KeyUsage)) {
+        if (oid.equals(X509Extension.keyUsage)) {
             // If issuer has it then proxy must have it also
             if (proxyKeyUsage == null) {
                 throw new CertPathValidatorException(
diff --git a/ssl-proxies/src/main/java/org/globus/gsi/util/CertificateIOUtil.java b/ssl-proxies/src/main/java/org/globus/gsi/util/CertificateIOUtil.java
index 00ca7d6d..c3d4ca77 100644
--- a/ssl-proxies/src/main/java/org/globus/gsi/util/CertificateIOUtil.java
+++ b/ssl-proxies/src/main/java/org/globus/gsi/util/CertificateIOUtil.java
@@ -107,7 +107,7 @@ public static byte[] encodePrincipal(X500Principal subject) throws IOException {
     public static byte[] encodePrincipal(X509Name subject) throws IOException {
         ByteArrayOutputStream bout = new ByteArrayOutputStream();
         DEROutputStream der = new DEROutputStream(bout);
-        der.writeObject(subject.getDERObject());
+        der.writeObject(subject.toASN1Primitive());
         return bout.toByteArray();
     }
 
diff --git a/ssl-proxies/src/main/java/org/globus/gsi/util/CertificateUtil.java b/ssl-proxies/src/main/java/org/globus/gsi/util/CertificateUtil.java
index 778cb7ab..b41ffc7a 100644
--- a/ssl-proxies/src/main/java/org/globus/gsi/util/CertificateUtil.java
+++ b/ssl-proxies/src/main/java/org/globus/gsi/util/CertificateUtil.java
@@ -18,12 +18,14 @@
 import org.apache.commons.logging.LogFactory;
 import org.bouncycastle.asn1.ASN1InputStream;
 import org.bouncycastle.asn1.ASN1Object;
+import org.bouncycastle.asn1.ASN1Primitive;
 import org.bouncycastle.asn1.ASN1Sequence;
 import org.bouncycastle.asn1.ASN1Set;
+import org.bouncycastle.asn1.ASN1String;
 import org.bouncycastle.asn1.DERBitString;
-import org.bouncycastle.asn1.DERObject;
 import org.bouncycastle.asn1.DERObjectIdentifier;
-import org.bouncycastle.asn1.DERString;
+import org.bouncycastle.asn1.x500.X500Name;
+import org.bouncycastle.asn1.x500.style.BCStyle;
 import org.bouncycastle.asn1.x509.BasicConstraints;
 import org.bouncycastle.asn1.x509.TBSCertificateStructure;
 import org.bouncycastle.asn1.x509.X509Extension;
@@ -188,7 +190,7 @@ public static int getCAPathConstraint(TBSCertificateStructure crt)
             return -1;
         }
         X509Extension proxyExtension =
-                extensions.getExtension(X509Extensions.BasicConstraints);
+                extensions.getExtension(X509Extension.basicConstraints);
         if (proxyExtension != null) {
             BasicConstraints basicExt =
                     getBasicConstraints(proxyExtension);
@@ -282,7 +284,7 @@ public static GSIConstants.CertificateType getCertificateType(
         X509Extension ext = null;
 
         if (extensions != null) {
-            ext = extensions.getExtension(X509Extensions.BasicConstraints);
+            ext = extensions.getExtension(X509Extension.basicConstraints);
             if (ext != null) {
                 BasicConstraints basicExt = getBasicConstraints(ext);
                 if (basicExt.isCA()) {
@@ -294,11 +296,11 @@ public static GSIConstants.CertificateType getCertificateType(
         GSIConstants.CertificateType type = GSIConstants.CertificateType.EEC;
 
         // does not handle multiple AVAs
-        X509Name subject = crt.getSubject();
+        X500Name subject = crt.getSubject();
 
         ASN1Set entry = X509NameHelper.getLastNameEntry(subject);
         ASN1Sequence ava = (ASN1Sequence) entry.getObjectAt(0);
-        if (X509Name.CN.equals(ava.getObjectAt(0))) {
+        if (BCStyle.CN.equals(ava.getObjectAt(0))) {
             type = processCN(extensions, type, ava);
         }
 
@@ -308,7 +310,7 @@ public static GSIConstants.CertificateType getCertificateType(
     private static GSIConstants.CertificateType processCN(
             X509Extensions extensions, GSIConstants.CertificateType type, ASN1Sequence ava) throws CertificateException {
         X509Extension ext;
-        String value = ((DERString) ava.getObjectAt(1)).getString();
+        String value = ((ASN1String) ava.getObjectAt(1)).getString();
         GSIConstants.CertificateType certType = type;
         if (value.equalsIgnoreCase("proxy")) {
             certType = GSIConstants.CertificateType.GSI_2_PROXY;
@@ -403,7 +405,7 @@ public static BasicConstraints getBasicConstraints(X509Extension ext)
      * @return the DERObject.
      * @throws IOException if conversion fails
      */
-    public static DERObject toDERObject(byte[] data)
+    public static ASN1Primitive toASN1Primitive(byte[] data)
             throws IOException {
         ByteArrayInputStream inStream = new ByteArrayInputStream(data);
         ASN1InputStream derInputStream = new ASN1InputStream(inStream);
@@ -422,7 +424,7 @@ public static DERObject toDERObject(byte[] data)
     public static TBSCertificateStructure getTBSCertificateStructure(
             X509Certificate cert)
             throws CertificateEncodingException, IOException {
-        DERObject obj = toDERObject(cert.getTBSCertificate());
+        ASN1Primitive obj = toASN1Primitive(cert.getTBSCertificate());
         return TBSCertificateStructure.getInstance(obj);
     }
 
@@ -433,7 +435,7 @@ public static EnumSet<KeyUsage> getKeyUsage(TBSCertificateStructure crt)
             return null;
         }
         X509Extension extension =
-                extensions.getExtension(X509Extensions.KeyUsage);
+                extensions.getExtension(X509Extension.keyUsage);
         return (extension != null) ? getKeyUsage(extension) : null;
     }
 
@@ -461,9 +463,9 @@ public static EnumSet<KeyUsage> getKeyUsage(X509Extension ext)
      * @param ext the certificate extension to extract the value from.
      * @throws IOException if extraction fails.
      */
-    public static DERObject getExtensionObject(X509Extension ext)
+    public static ASN1Primitive getExtensionObject(X509Extension ext)
             throws IOException {
-        return toDERObject(ext.getValue().getOctets());
+        return toASN1Primitive(ext.getValue().getOctets());
     }
 
     /**
diff --git a/ssl-proxies/src/test/java/org/globus/gsi/bc/BouncyCastleCertProcessingFactoryTest.java b/ssl-proxies/src/test/java/org/globus/gsi/bc/BouncyCastleCertProcessingFactoryTest.java
index b386bb1a..3525f2e3 100644
--- a/ssl-proxies/src/test/java/org/globus/gsi/bc/BouncyCastleCertProcessingFactoryTest.java
+++ b/ssl-proxies/src/test/java/org/globus/gsi/bc/BouncyCastleCertProcessingFactoryTest.java
@@ -26,6 +26,11 @@
 import org.globus.gsi.proxy.ext.ProxyCertInfo;
 import org.globus.gsi.proxy.ext.ProxyCertInfoExtension;
 
+import org.bouncycastle.asn1.ASN1Boolean;
+import org.bouncycastle.asn1.ASN1Encodable;
+import org.bouncycastle.asn1.ASN1Integer;
+import org.bouncycastle.asn1.DERBoolean;
+import org.bouncycastle.asn1.DERSequence;
 import org.bouncycastle.asn1.x509.BasicConstraints;
 import org.bouncycastle.asn1.x509.X509Extensions;
 
@@ -88,9 +93,10 @@ public void testResctrictedWithOtherExt() throws Exception {
     X509ExtensionSet extSet = new X509ExtensionSet();
     ext = new X509Extension(oid, critical, expectedValue.getBytes());
     extSet.add(ext);
-    
-    BasicConstraints constraints = new BasicConstraints(false, 15);
-    ext = new BouncyCastleX509Extension(X509Extensions.BasicConstraints.getId(),
+
+    DERSequence seq = new DERSequence(new ASN1Encodable[] { DERBoolean.FALSE, new ASN1Integer(15) });
+    BasicConstraints constraints = BasicConstraints.getInstance(seq);
+    ext = new BouncyCastleX509Extension(org.bouncycastle.asn1.x509.X509Extension.basicConstraints.getId(),
                         false, constraints);
     extSet.add(ext);
     
diff --git a/ssl-proxies/src/test/java/org/globus/gsi/proxy/ext/ProxyCertInfoTest.java b/ssl-proxies/src/test/java/org/globus/gsi/proxy/ext/ProxyCertInfoTest.java
index 37905b63..6aec13c1 100644
--- a/ssl-proxies/src/test/java/org/globus/gsi/proxy/ext/ProxyCertInfoTest.java
+++ b/ssl-proxies/src/test/java/org/globus/gsi/proxy/ext/ProxyCertInfoTest.java
@@ -24,7 +24,7 @@
 
 import org.bouncycastle.asn1.DERObjectIdentifier;
 import org.bouncycastle.asn1.DEROutputStream;
-import org.bouncycastle.asn1.DERObject;
+import org.bouncycastle.asn1.ASN1Primitive;
 import org.bouncycastle.asn1.ASN1Sequence;
 
 import junit.framework.TestCase;
@@ -63,7 +63,7 @@ public void testParseProxyCertInfo() throws Exception {
 	ByteArrayInputStream bIn = 
 	    new ByteArrayInputStream(bOut.toByteArray());
 	ASN1InputStream dIn = new ASN1InputStream(bIn);
-	DERObject obj = dIn.readObject();
+	ASN1Primitive obj = dIn.readObject();
 	
 	assertTrue(obj instanceof ASN1Sequence);
 	
@@ -112,7 +112,7 @@ public void testCreateProxyCertInfo2() throws Exception {
 	ByteArrayInputStream bIn = 
 	    new ByteArrayInputStream(bOut.toByteArray());
 	ASN1InputStream dIn = new ASN1InputStream(bIn);
-	DERObject obj = dIn.readObject();
+	ASN1Primitive obj = dIn.readObject();
 
 	ProxyCertInfo testInfo = new ProxyCertInfo((ASN1Sequence)obj);