Sample code for 30+ languages & platforms
Delphi DLL

Trust Specific Root CA Certificates

See more Certificates Examples

Demonstrates how to trust specific root CA certificates and none others.

Chilkat Delphi DLL Downloads

Delphi DLL
uses
    Winapi.Windows, Winapi.Messages, System.SysUtils, System.Variants, System.Classes, Vcl.Graphics,
    Vcl.Controls, Vcl.Forms, Vcl.Dialogs, Vcl.StdCtrls, TrustedRoots, Cert, Http;

...

procedure TForm1.Button1Click(Sender: TObject);
var
success: Boolean;
tRoots: HCkTrustedRoots;
caCert: HCkCert;
http: HCkHttp;

begin
success := False;

// This example assumes the Chilkat API to have been previously unlocked.
// See Global Unlock Sample for sample code.

// This example will trust the Amazon root CA certificates provided at 
// https://www.amazontrust.com/repository/

// I've previously downloaded the root CA certificates to DER format.
// Add each to the Chilkat TrustedRoots singleton object.

tRoots := CkTrustedRoots_Create();

caCert := CkCert_Create();
success := CkCert_LoadFromFile(caCert,'qa_data/certs/aws_root_ca/AmazonRootCA1.cer');
if (success = False) then
  begin
    Memo1.Lines.Add(CkCert__lastErrorText(caCert));
    Exit;
  end;
success := CkTrustedRoots_AddCert(tRoots,caCert);

// Continue with the others.
// For brevity, we're not checking return values for success/failure.
success := CkCert_LoadFromFile(caCert,'qa_data/certs/aws_root_ca/AmazonRootCA2.cer');
success := CkTrustedRoots_AddCert(tRoots,caCert);

success := CkCert_LoadFromFile(caCert,'qa_data/certs/aws_root_ca/AmazonRootCA3.cer');
success := CkTrustedRoots_AddCert(tRoots,caCert);

success := CkCert_LoadFromFile(caCert,'qa_data/certs/aws_root_ca/AmazonRootCA4.cer');
success := CkTrustedRoots_AddCert(tRoots,caCert);

success := CkCert_LoadFromFile(caCert,'qa_data/certs/aws_root_ca/SFSRootCAG2.cer');
success := CkTrustedRoots_AddCert(tRoots,caCert);

// Indicate we don't want to automatically trust the operating system's installed root CA certificates.
// On a Windows operating system, this would be the registry-based CA certificate stores. 
// On a Linux system, this could be /etc/ssl/certs/ca-certificates.crt, if it exists.
CkTrustedRoots_putTrustSystemCaRoots(tRoots,False);

// Activate the trusted roots object.
// Once activated, all Chilkat objects that use TLS connections (HTTP, REST, Socket, MailMan, IMAP, FTP, etc.)
// will fail the TLS handshake if the server certificate is not verified and rooted with one of our explicitly trusted root certificates.
success := CkTrustedRoots_Activate(tRoots);

http := CkHttp_Create();

// Note: We also need to explicitly indicate that server certificates are to be verified.
CkHttp_putRequireSslCertVerify(http,True);

// For example, the following should fail because www.chilkatsoft.com's server certificate is not rooted in one of the explicitly trusted root CA certs.
success := CkHttp_Download(http,'https://www.chilkatsoft.com/helloWorld.txt','qa_output/helloWorld.txt');
if (success <> True) then
  begin
    // The above Download should fail.
    Memo1.Lines.Add(CkHttp__lastErrorText(http));

    // There should be a message in the LastErrorText indicating that we were "Unable to build certificate chain to root.."
  end;

// However, we should be able to make TLS connections to good.sca1a.amazontrust.com
success := CkHttp_Download(http,'https://good.sca1a.amazontrust.com/','qa_output/valid.html');
if (success <> True) then
  begin
    Memo1.Lines.Add(CkHttp__lastErrorText(http));
    Exit;
  end;

// We can still examine the LastErrorText and we'll find this message within:  
// "The public key was successfully validated against the public key of the explicitly trusted root cert."
Memo1.Lines.Add(CkHttp__lastErrorText(http));

Memo1.Lines.Add('Success!');

CkTrustedRoots_Dispose(tRoots);
CkCert_Dispose(caCert);
CkHttp_Dispose(http);

end;