|
Chilkat • HOME • .NET Core C# • Android™ • AutoIt • C • C# • C++ • Chilkat2-Python • CkPython • Classic ASP • DataFlex • Delphi ActiveX • Delphi DLL • Go • Java • Lianja • Mono C# • Node.js • Objective-C • PHP ActiveX • PHP Extension • Perl • PowerBuilder • PowerShell • PureBasic • Ruby • SQL Server • Swift 2 • Swift 3,4,5... • Tcl • Unicode C • Unicode C++ • VB.NET • VBScript • Visual Basic 6.0 • Visual FoxPro • Xojo Plugin
(C) Renew a DigiCert Certificate from an EST-enabled profileDemonstrates how to renew a certificate from an EST-enabled profile in DigiCert® Trust Lifecycle Manager. (The certificate must be within the renewal window configured in the certificate profile. The CSR must have same Subject DN values as the original certificate.)
#include <C_CkPrng.h> #include <C_CkEcc.h> #include <C_CkPrivateKey.h> #include <C_CkCsr.h> #include <C_CkBinData.h> #include <C_CkHttp.h> #include <C_CkCert.h> #include <C_CkHttpResponse.h> void ChilkatSample(void) { HCkPrng fortuna; const char *entropy; BOOL success; HCkEcc ec; HCkPrivateKey privKey; HCkCsr csr; HCkBinData bdCsr; HCkHttp http; HCkCert tlsClientCert; HCkBinData bdTlsClientCertPrivKey; HCkPrivateKey tlsClientCertPrivKey; HCkHttpResponse resp; HCkCert myNewCert; // This example requires the Chilkat API to have been previously unlocked. // See Global Unlock Sample for sample code. // The example below duplicates the following OpenSSL commands: // // # Name of certificate as argument 1 // // # Make new key // openssl ecparam -name prime256v1 -genkey -noout -out ${1}.key.pem // // # Make csr // openssl req -new -sha256 -key ${1}.key.pem -out ${1}.p10.csr -subj "/CN=${1}" // // # Request new cert // curl -v --cacert data/ca.pem --cert data/${1}.pem --key data/${1}.key.pem // --data-binary @${1}.p10.csr -o ${1}.p7.b64 -H "Content-Type: application/pkcs10" https://clientauth.demo.one.digicert.com/.well-known/est/IOT/simplereenroll // // # Convert to PEM // openssl base64 -d -in ${1}.p7.b64 | openssl pkcs7 -inform DER -outform PEM -print_certs -out ${1}.pem // ------------------------------------------------------------------------------------------------------------------ // Create a Fortuna PRNG and seed it with system entropy. // This will be our source of random data for generating the ECC private key. fortuna = CkPrng_Create(); entropy = CkPrng_getEntropy(fortuna,32,"base64"); success = CkPrng_AddEntropy(fortuna,entropy,"base64"); ec = CkEcc_Create(); // Generate a random EC private key on the prime256v1 curve. privKey = CkEcc_GenEccKey(ec,"prime256v1",fortuna); if (CkEcc_getLastMethodSuccess(ec) != TRUE) { printf("%s\n",CkEcc_lastErrorText(ec)); CkPrng_Dispose(fortuna); CkEcc_Dispose(ec); return; } // Create the CSR object and set properties. csr = CkCsr_Create(); // Specify your CN CkCsr_putCommonName(csr,"mysubdomain.mydomain.com"); // Create the CSR using the private key. bdCsr = CkBinData_Create(); success = CkCsr_GenCsrBd(csr,privKey,bdCsr); if (success == FALSE) { printf("%s\n",CkCsr_lastErrorText(csr)); CkPrivateKey_Dispose(privKey); CkPrng_Dispose(fortuna); CkEcc_Dispose(ec); CkCsr_Dispose(csr); CkBinData_Dispose(bdCsr); return; } // Save the private key and CSR to files. CkPrivateKey_SavePkcs8EncryptedPemFile(privKey,"password","c:/temp/qa_output/ec_privkey.pem"); CkPrivateKey_Dispose(privKey); CkBinData_WriteFile(bdCsr,"c:/temp/qa_output/csr.pem"); // ---------------------------------------------------------------------- // Now do the CURL request to POST the CSR and get the new certificate. http = CkHttp_Create(); tlsClientCert = CkCert_Create(); success = CkCert_LoadFromFile(tlsClientCert,"data/myTlsClientCert.pem"); if (success == FALSE) { printf("%s\n",CkCert_lastErrorText(tlsClientCert)); CkPrng_Dispose(fortuna); CkEcc_Dispose(ec); CkCsr_Dispose(csr); CkBinData_Dispose(bdCsr); CkHttp_Dispose(http); CkCert_Dispose(tlsClientCert); return; } bdTlsClientCertPrivKey = CkBinData_Create(); success = CkBinData_LoadFile(bdTlsClientCertPrivKey,"data/myTlsClientCert.key.pem"); if (success == FALSE) { printf("Failed to load data/myTlsClientCert.key.pem\n"); CkPrng_Dispose(fortuna); CkEcc_Dispose(ec); CkCsr_Dispose(csr); CkBinData_Dispose(bdCsr); CkHttp_Dispose(http); CkCert_Dispose(tlsClientCert); CkBinData_Dispose(bdTlsClientCertPrivKey); return; } tlsClientCertPrivKey = CkPrivateKey_Create(); success = CkPrivateKey_LoadAnyFormat(tlsClientCertPrivKey,bdTlsClientCertPrivKey,""); if (success == FALSE) { printf("%s\n",CkPrivateKey_lastErrorText(tlsClientCertPrivKey)); CkPrng_Dispose(fortuna); CkEcc_Dispose(ec); CkCsr_Dispose(csr); CkBinData_Dispose(bdCsr); CkHttp_Dispose(http); CkCert_Dispose(tlsClientCert); CkBinData_Dispose(bdTlsClientCertPrivKey); CkPrivateKey_Dispose(tlsClientCertPrivKey); return; } success = CkCert_SetPrivateKey(tlsClientCert,tlsClientCertPrivKey); if (success == FALSE) { printf("%s\n",CkCert_lastErrorText(tlsClientCert)); CkPrng_Dispose(fortuna); CkEcc_Dispose(ec); CkCsr_Dispose(csr); CkBinData_Dispose(bdCsr); CkHttp_Dispose(http); CkCert_Dispose(tlsClientCert); CkBinData_Dispose(bdTlsClientCertPrivKey); CkPrivateKey_Dispose(tlsClientCertPrivKey); return; } CkHttp_SetSslClientCert(http,tlsClientCert); CkHttp_putRequireSslCertVerify(http,TRUE); // The body of the HTTP request contains the binary CSR. resp = CkHttp_PBinaryBd(http,"POST","https://clientauth.demo.one.digicert.com/.well-known/est/IOT/simplereenroll",bdCsr,"application/pkcs10",FALSE,FALSE); if (CkHttp_getLastMethodSuccess(http) == FALSE) { printf("%s\n",CkHttp_lastErrorText(http)); CkPrng_Dispose(fortuna); CkEcc_Dispose(ec); CkCsr_Dispose(csr); CkBinData_Dispose(bdCsr); CkHttp_Dispose(http); CkCert_Dispose(tlsClientCert); CkBinData_Dispose(bdTlsClientCertPrivKey); CkPrivateKey_Dispose(tlsClientCertPrivKey); return; } if (CkHttpResponse_getStatusCode(resp) != 200) { printf("response status code = %d\n",CkHttpResponse_getStatusCode(resp)); printf("%s\n",CkHttpResponse_bodyStr(resp)); printf("Failed\n"); CkHttpResponse_Dispose(resp); CkPrng_Dispose(fortuna); CkEcc_Dispose(ec); CkCsr_Dispose(csr); CkBinData_Dispose(bdCsr); CkHttp_Dispose(http); CkCert_Dispose(tlsClientCert); CkBinData_Dispose(bdTlsClientCertPrivKey); CkPrivateKey_Dispose(tlsClientCertPrivKey); return; } // The response is the Base64 DER of the new certificate. myNewCert = CkCert_Create(); success = CkCert_LoadFromBase64(myNewCert,CkHttpResponse_bodyStr(resp)); if (success == FALSE) { printf("%s\n",CkCert_lastErrorText(myNewCert)); printf("Cert data = %s\n",CkHttpResponse_bodyStr(resp)); printf("Failed.\n"); CkHttpResponse_Dispose(resp); CkPrng_Dispose(fortuna); CkEcc_Dispose(ec); CkCsr_Dispose(csr); CkBinData_Dispose(bdCsr); CkHttp_Dispose(http); CkCert_Dispose(tlsClientCert); CkBinData_Dispose(bdTlsClientCertPrivKey); CkPrivateKey_Dispose(tlsClientCertPrivKey); CkCert_Dispose(myNewCert); return; } CkHttpResponse_Dispose(resp); success = CkCert_SaveToFile(myNewCert,"c:/temp/qa_output/myNewCert.cer"); if (success == FALSE) { printf("%s\n",CkCert_lastErrorText(myNewCert)); printf("Failed.\n"); CkPrng_Dispose(fortuna); CkEcc_Dispose(ec); CkCsr_Dispose(csr); CkBinData_Dispose(bdCsr); CkHttp_Dispose(http); CkCert_Dispose(tlsClientCert); CkBinData_Dispose(bdTlsClientCertPrivKey); CkPrivateKey_Dispose(tlsClientCertPrivKey); CkCert_Dispose(myNewCert); return; } printf("Success.\n"); CkPrng_Dispose(fortuna); CkEcc_Dispose(ec); CkCsr_Dispose(csr); CkBinData_Dispose(bdCsr); CkHttp_Dispose(http); CkCert_Dispose(tlsClientCert); CkBinData_Dispose(bdTlsClientCertPrivKey); CkPrivateKey_Dispose(tlsClientCertPrivKey); CkCert_Dispose(myNewCert); } |
|||||||
© 2000-2024 Chilkat Software, Inc. All Rights Reserved.