(Unicode C++) Generate a CSR with keyUsage, extKeyUsage, and other Extensions

See more CSR Examples

Demonstrates how to generate a CSR containing a 1.2.840.113549.1.9.14 extensionRequest with the following extensions:

• 1.3.6.1.4.1.311.20.2 enrollCerttypeExtension
• 2.5.29.15 keyUsage
• 2.5.29.37 extKeyUsage
• 2.5.29.14 subjectKeyIdentifier

Chilkat C/C++ Library Downloads
MS Visual C/C++ Linux/CentOS C/C++ Alpine Linux C/C++ MAC OS X C/C++	armhf/aarch64 C/C++ C++ Builder iOS C/C++ Android C/C++	Solaris C/C++ MinGW C/C++

#include <CkEccW.h>
#include <CkPrngW.h>
#include <CkPrivateKeyW.h>
#include <CkCsrW.h>
#include <CkBinDataW.h>
#include <CkXmlW.h>
#include <CkPublicKeyW.h>

void ChilkatSample(void)
    {
    // This requires the Chilkat API to have been previously unlocked.
    // See Global Unlock Sample for sample code.

    // This example will generate a secp256r1 ECDSA key for the CSR.
    CkEccW ecc;
    CkPrngW prng;

    CkPrivateKeyW *privKey = ecc.GenEccKey(L"secp256r1",prng);
    if (ecc.get_LastMethodSuccess() == false) {
        wprintf(L"Failed to generate a new ECDSA private key.\n");
        return;
    }

    CkCsrW csr;

    // Add common CSR fields:
    csr.put_CommonName(L"mysubdomain.mydomain.com");
    csr.put_Country(L"GB");
    csr.put_State(L"Yorks");
    csr.put_Locality(L"York");
    csr.put_Company(L"Internet Widgits Pty Ltd");
    csr.put_EmailAddress(L"support@mydomain.com");

    // Add the following 1.2.840.113549.1.9.14 extensionRequest
    // Note: The easiest way to know the content and format of the XML to be added is to examine
    // a pre-existing CSR with the same desired extensionRequest.  You can use Chilkat to
    // get the extensionRequest from an existing CSR. 

    // 
    // Here is a sample extension request:

    // <?xml version="1.0" encoding="utf-8"?>
    // <set>
    //     <sequence>
    //         <sequence>
    //             <oid>1.3.6.1.4.1.311.20.2</oid>
    //             <asnOctets>
    //                 <universal tag="30" constructed="0">AEUAbgBkAEUAbgB0AGkAdAB5AEMAbABpAGUAbgB0AEEAdQB0AGgAQwBlAHIAdABpAGYAaQBjAGEAdABl
    // AF8AQwBTAFIAUABhAHMAcwB0AGgAcgBvAHUAZwBoAC8AVgAx</universal>
    //             </asnOctets>
    //         </sequence>
    //         <sequence>
    //             <oid>2.5.29.15</oid>
    //             <bool>1</bool>
    //             <asnOctets>
    //                 <bits n="3">A0</bits>
    //             </asnOctets>
    //         </sequence>
    //         <sequence>
    //             <oid>2.5.29.37</oid>
    //             <asnOctets>
    //                 <sequence>
    //                     <oid>1.3.6.1.5.5.7.3.3</oid>
    //                 </sequence>
    //             </asnOctets>
    //         </sequence>
    //         <sequence>
    //             <oid>2.5.29.14</oid>
    //             <asnOctets>
    //                 <octets>MCzBMQAViXBz8IDt8LsgmJxJ4Xg=</octets>
    //             </asnOctets>
    //         </sequence>
    //     </sequence>
    // </set>

    // Use this online tool to generate code from sample XML: 
    // Generate Code to Create XML

    // A few notes:
    // The string "AEUAbgBkAEUAbgB0AGkAdAB5AEMAbABpAGUAbgB0AEEAdQB0AGgAQwBlAHIAdABpAGYAaQBjAGEAdABlAF8AQwBTAFIAUABhAHMAcwB0AGgAcgBvAHUAZwBoAC8AVgAx"
    // is the base64 encoding of the utf-16be byte representation of the string "EndEntityClientAuthCertificate_CSRPassthrough/V1"

    const wchar_t *s = L"EndEntityClientAuthCertificate_CSRPassthrough/V1";
    CkBinDataW bdTemp;
    bdTemp.AppendString(s,L"utf-16be");
    const wchar_t *s_base64_utf16be = bdTemp.getEncoded(L"base64");
    // The string should be "AEUA....."
    wprintf(L"%s\n",s_base64_utf16be);

    // Here's the code to generate the above extension request.

    CkXmlW xml;
    xml.put_Tag(L"set");
    xml.UpdateChildContent(L"sequence|sequence|oid",L"1.3.6.1.4.1.311.20.2");
    xml.UpdateAttrAt(L"sequence|sequence|asnOctets|universal",true,L"tag",L"30");
    xml.UpdateAttrAt(L"sequence|sequence|asnOctets|universal",true,L"constructed",L"0");
    xml.UpdateChildContent(L"sequence|sequence|asnOctets|universal",s_base64_utf16be);
    xml.UpdateChildContent(L"sequence|sequence[1]|oid",L"2.5.29.15");
    xml.UpdateChildContent(L"sequence|sequence[1]|bool",L"1");
    xml.UpdateAttrAt(L"sequence|sequence[1]|asnOctets|bits",true,L"n",L"3");
    // A0 is hex for decimal 160.
    xml.UpdateChildContent(L"sequence|sequence[1]|asnOctets|bits",L"A0");
    xml.UpdateChildContent(L"sequence|sequence[2]|oid",L"2.5.29.37");
    xml.UpdateChildContent(L"sequence|sequence[2]|asnOctets|sequence|oid",L"1.3.6.1.5.5.7.3.3");

    // This is the subjectKeyIdentifier extension.
    // The string "MCzBMQAViXBz8IDt8LsgmJxJ4Xg=" is base64 that decodes to 20 bytes, which is a SHA1 hash.
    // This is simply a hash of the DER of the public key.

    CkPublicKeyW *pubKey = privKey->GetPublicKey();
    CkBinDataW bdPubKeyDer;
    bdPubKeyDer.AppendEncoded(pubKey->getEncoded(true,L"base64"),L"base64");
    const wchar_t *ski = bdPubKeyDer.getHash(L"sha1",L"base64");
    delete pubKey;

    xml.UpdateChildContent(L"sequence|sequence[3]|oid",L"2.5.29.14");
    xml.UpdateChildContent(L"sequence|sequence[3]|asnOctets|octets",ski);

    // Add the extension request to the CSR
    csr.SetExtensionRequest(xml);

    // Generate the CSR with the extension request
    const wchar_t *csrPem = csr.genCsrPem(*privKey);
    if (csr.get_LastMethodSuccess() == false) {
        wprintf(L"%s\n",csr.lastErrorText());
        delete privKey;
        return;
    }

    wprintf(L"%s\n",csrPem);

    delete privKey;
    }