Sample code for 30+ languages & platforms
Android™

Renew a DigiCert Certificate from an EST-enabled profile

See more Certificates Examples

Demonstrates how to renew a certificate from an EST-enabled profile in DigiCert​​®​​ Trust Lifecycle Manager. (The certificate must be within the renewal window configured in the certificate profile. The CSR must have same Subject DN values as the original certificate.)

Chilkat Android™ Downloads

Android™
// Important: Don't forget to include the call to System.loadLibrary
// as shown at the bottom of this code sample.
package com.test;

import android.app.Activity;
import com.chilkatsoft.*;

import android.widget.TextView;
import android.os.Bundle;

public class SimpleActivity extends Activity {

  private static final String TAG = "Chilkat";

  // Called when the activity is first created.
  @Override
  public void onCreate(Bundle savedInstanceState) {
    super.onCreate(savedInstanceState);

    boolean success = false;

    // This example requires the Chilkat API to have been previously unlocked.
    // See Global Unlock Sample for sample code.

    // The example below duplicates the following OpenSSL commands:
    // 
    // # Name of certificate as argument 1
    // 
    // # Make new key
    // openssl ecparam -name prime256v1 -genkey -noout -out ${1}.key.pem
    // 
    // # Make csr
    // openssl req -new -sha256 -key ${1}.key.pem -out ${1}.p10.csr -subj "/CN=${1}"
    // 
    // # Request new cert
    // curl -v --cacert data/ca.pem --cert data/${1}.pem --key data/${1}.key.pem 
    //     --data-binary @${1}.p10.csr -o ${1}.p7.b64 -H "Content-Type: application/pkcs10" https://clientauth.demo.one.digicert.com/.well-known/est/IOT/simplereenroll
    // 
    // # Convert to PEM
    // openssl base64 -d -in ${1}.p7.b64 | openssl pkcs7 -inform DER -outform PEM -print_certs -out ${1}.pem

    // ------------------------------------------------------------------------------------------------------------------

    // Create a Fortuna PRNG and seed it with system entropy.
    // This will be our source of random data for generating the ECC private key.
    CkPrng fortuna = new CkPrng();
    String entropy = fortuna.getEntropy(32,"base64");
    success = fortuna.AddEntropy(entropy,"base64");

    CkEcc ec = new CkEcc();

    // Generate a random EC private key on the prime256v1 curve.
    CkPrivateKey privKey = new CkPrivateKey();
    success = ec.GenKey("prime256v1",fortuna,privKey);
    if (success != true) {
        Log.i(TAG, ec.lastErrorText());
        return;
        }

    // Create the CSR object and set properties.
    CkCsr csr = new CkCsr();

    // Specify your CN
    csr.put_CommonName("mysubdomain.mydomain.com");

    // Create the CSR using the private key.
    CkBinData bdCsr = new CkBinData();
    success = csr.GenCsrBd(privKey,bdCsr);
    if (success == false) {
        Log.i(TAG, csr.lastErrorText());
        return;
        }

    // Save the private key and CSR to files.
    privKey.SavePkcs8EncryptedPemFile("password","c:/temp/qa_output/ec_privkey.pem");

    bdCsr.WriteFile("c:/temp/qa_output/csr.pem");

    // ----------------------------------------------------------------------
    // Now do the CURL request to POST the CSR and get the new certificate.

    CkHttp http = new CkHttp();

    CkCert tlsClientCert = new CkCert();
    success = tlsClientCert.LoadFromFile("data/myTlsClientCert.pem");
    if (success == false) {
        Log.i(TAG, tlsClientCert.lastErrorText());
        return;
        }

    CkBinData bdTlsClientCertPrivKey = new CkBinData();
    success = bdTlsClientCertPrivKey.LoadFile("data/myTlsClientCert.key.pem");
    if (success == false) {
        Log.i(TAG, "Failed to load data/myTlsClientCert.key.pem");
        return;
        }

    CkPrivateKey tlsClientCertPrivKey = new CkPrivateKey();
    success = tlsClientCertPrivKey.LoadAnyFormat(bdTlsClientCertPrivKey,"");
    if (success == false) {
        Log.i(TAG, tlsClientCertPrivKey.lastErrorText());
        return;
        }

    success = tlsClientCert.SetPrivateKey(tlsClientCertPrivKey);
    if (success == false) {
        Log.i(TAG, tlsClientCert.lastErrorText());
        return;
        }

    http.SetSslClientCert(tlsClientCert);

    http.put_RequireSslCertVerify(true);

    // The body of the HTTP request contains the binary CSR.
    CkHttpResponse resp = new CkHttpResponse();
    String url = "https://clientauth.demo.one.digicert.com/.well-known/est/IOT/simplereenroll";
    success = http.HttpBd("POST",url,bdCsr,"application/pkcs10",resp);
    if (success == false) {
        Log.i(TAG, http.lastErrorText());
        return;
        }

    if (resp.get_StatusCode() != 200) {
        Log.i(TAG, "response status code = " + String.valueOf(resp.get_StatusCode()));
        Log.i(TAG, resp.bodyStr());
        Log.i(TAG, "Failed");
        return;
        }

    // The response is the Base64 DER of the new certificate.
    CkCert myNewCert = new CkCert();
    success = myNewCert.LoadFromBase64(resp.bodyStr());
    if (success == false) {
        Log.i(TAG, myNewCert.lastErrorText());
        Log.i(TAG, "Cert data = " + resp.bodyStr());
        Log.i(TAG, "Failed.");
        return;
        }

    success = myNewCert.SaveToFile("c:/temp/qa_output/myNewCert.cer");
    if (success == false) {
        Log.i(TAG, myNewCert.lastErrorText());
        Log.i(TAG, "Failed.");
        return;
        }

    Log.i(TAG, "Success.");

  }

  static {
      System.loadLibrary("chilkat");

      // Note: If the incorrect library name is passed to System.loadLibrary,
      // then you will see the following error message at application startup:
      //"The application <your-application-name> has stopped unexpectedly. Please try again."
  }
}