Sample code for 30+ languages & platforms
C

Renew a DigiCert Certificate from an EST-enabled profile

See more Certificates Examples

Demonstrates how to renew a certificate from an EST-enabled profile in DigiCert​​®​​ Trust Lifecycle Manager. (The certificate must be within the renewal window configured in the certificate profile. The CSR must have same Subject DN values as the original certificate.)

Chilkat C Downloads

C
#include <C_CkPrng.h>
#include <C_CkEcc.h>
#include <C_CkPrivateKey.h>
#include <C_CkCsr.h>
#include <C_CkBinData.h>
#include <C_CkHttp.h>
#include <C_CkCert.h>
#include <C_CkHttpResponse.h>

void ChilkatSample(void)
    {
    BOOL success;
    HCkPrng fortuna;
    const char *entropy;
    HCkEcc ec;
    HCkPrivateKey privKey;
    HCkCsr csr;
    HCkBinData bdCsr;
    HCkHttp http;
    HCkCert tlsClientCert;
    HCkBinData bdTlsClientCertPrivKey;
    HCkPrivateKey tlsClientCertPrivKey;
    HCkHttpResponse resp;
    const char *url;
    HCkCert myNewCert;

    success = FALSE;

    // This example requires the Chilkat API to have been previously unlocked.
    // See Global Unlock Sample for sample code.

    // The example below duplicates the following OpenSSL commands:
    // 
    // # Name of certificate as argument 1
    // 
    // # Make new key
    // openssl ecparam -name prime256v1 -genkey -noout -out ${1}.key.pem
    // 
    // # Make csr
    // openssl req -new -sha256 -key ${1}.key.pem -out ${1}.p10.csr -subj "/CN=${1}"
    // 
    // # Request new cert
    // curl -v --cacert data/ca.pem --cert data/${1}.pem --key data/${1}.key.pem 
    //     --data-binary @${1}.p10.csr -o ${1}.p7.b64 -H "Content-Type: application/pkcs10" https://clientauth.demo.one.digicert.com/.well-known/est/IOT/simplereenroll
    // 
    // # Convert to PEM
    // openssl base64 -d -in ${1}.p7.b64 | openssl pkcs7 -inform DER -outform PEM -print_certs -out ${1}.pem

    // ------------------------------------------------------------------------------------------------------------------

    // Create a Fortuna PRNG and seed it with system entropy.
    // This will be our source of random data for generating the ECC private key.
    fortuna = CkPrng_Create();
    entropy = CkPrng_getEntropy(fortuna,32,"base64");
    success = CkPrng_AddEntropy(fortuna,entropy,"base64");

    ec = CkEcc_Create();

    // Generate a random EC private key on the prime256v1 curve.
    privKey = CkPrivateKey_Create();
    success = CkEcc_GenKey(ec,"prime256v1",fortuna,privKey);
    if (success != TRUE) {
        printf("%s\n",CkEcc_lastErrorText(ec));
        CkPrng_Dispose(fortuna);
        CkEcc_Dispose(ec);
        CkPrivateKey_Dispose(privKey);
        return;
    }

    // Create the CSR object and set properties.
    csr = CkCsr_Create();

    // Specify your CN
    CkCsr_putCommonName(csr,"mysubdomain.mydomain.com");

    // Create the CSR using the private key.
    bdCsr = CkBinData_Create();
    success = CkCsr_GenCsrBd(csr,privKey,bdCsr);
    if (success == FALSE) {
        printf("%s\n",CkCsr_lastErrorText(csr));
        CkPrng_Dispose(fortuna);
        CkEcc_Dispose(ec);
        CkPrivateKey_Dispose(privKey);
        CkCsr_Dispose(csr);
        CkBinData_Dispose(bdCsr);
        return;
    }

    // Save the private key and CSR to files.
    CkPrivateKey_SavePkcs8EncryptedPemFile(privKey,"password","c:/temp/qa_output/ec_privkey.pem");

    CkBinData_WriteFile(bdCsr,"c:/temp/qa_output/csr.pem");

    // ----------------------------------------------------------------------
    // Now do the CURL request to POST the CSR and get the new certificate.

    http = CkHttp_Create();

    tlsClientCert = CkCert_Create();
    success = CkCert_LoadFromFile(tlsClientCert,"data/myTlsClientCert.pem");
    if (success == FALSE) {
        printf("%s\n",CkCert_lastErrorText(tlsClientCert));
        CkPrng_Dispose(fortuna);
        CkEcc_Dispose(ec);
        CkPrivateKey_Dispose(privKey);
        CkCsr_Dispose(csr);
        CkBinData_Dispose(bdCsr);
        CkHttp_Dispose(http);
        CkCert_Dispose(tlsClientCert);
        return;
    }

    bdTlsClientCertPrivKey = CkBinData_Create();
    success = CkBinData_LoadFile(bdTlsClientCertPrivKey,"data/myTlsClientCert.key.pem");
    if (success == FALSE) {
        printf("Failed to load data/myTlsClientCert.key.pem\n");
        CkPrng_Dispose(fortuna);
        CkEcc_Dispose(ec);
        CkPrivateKey_Dispose(privKey);
        CkCsr_Dispose(csr);
        CkBinData_Dispose(bdCsr);
        CkHttp_Dispose(http);
        CkCert_Dispose(tlsClientCert);
        CkBinData_Dispose(bdTlsClientCertPrivKey);
        return;
    }

    tlsClientCertPrivKey = CkPrivateKey_Create();
    success = CkPrivateKey_LoadAnyFormat(tlsClientCertPrivKey,bdTlsClientCertPrivKey,"");
    if (success == FALSE) {
        printf("%s\n",CkPrivateKey_lastErrorText(tlsClientCertPrivKey));
        CkPrng_Dispose(fortuna);
        CkEcc_Dispose(ec);
        CkPrivateKey_Dispose(privKey);
        CkCsr_Dispose(csr);
        CkBinData_Dispose(bdCsr);
        CkHttp_Dispose(http);
        CkCert_Dispose(tlsClientCert);
        CkBinData_Dispose(bdTlsClientCertPrivKey);
        CkPrivateKey_Dispose(tlsClientCertPrivKey);
        return;
    }

    success = CkCert_SetPrivateKey(tlsClientCert,tlsClientCertPrivKey);
    if (success == FALSE) {
        printf("%s\n",CkCert_lastErrorText(tlsClientCert));
        CkPrng_Dispose(fortuna);
        CkEcc_Dispose(ec);
        CkPrivateKey_Dispose(privKey);
        CkCsr_Dispose(csr);
        CkBinData_Dispose(bdCsr);
        CkHttp_Dispose(http);
        CkCert_Dispose(tlsClientCert);
        CkBinData_Dispose(bdTlsClientCertPrivKey);
        CkPrivateKey_Dispose(tlsClientCertPrivKey);
        return;
    }

    CkHttp_SetSslClientCert(http,tlsClientCert);

    CkHttp_putRequireSslCertVerify(http,TRUE);

    // The body of the HTTP request contains the binary CSR.
    resp = CkHttpResponse_Create();
    url = "https://clientauth.demo.one.digicert.com/.well-known/est/IOT/simplereenroll";
    success = CkHttp_HttpBd(http,"POST",url,bdCsr,"application/pkcs10",resp);
    if (success == FALSE) {
        printf("%s\n",CkHttp_lastErrorText(http));
        CkPrng_Dispose(fortuna);
        CkEcc_Dispose(ec);
        CkPrivateKey_Dispose(privKey);
        CkCsr_Dispose(csr);
        CkBinData_Dispose(bdCsr);
        CkHttp_Dispose(http);
        CkCert_Dispose(tlsClientCert);
        CkBinData_Dispose(bdTlsClientCertPrivKey);
        CkPrivateKey_Dispose(tlsClientCertPrivKey);
        CkHttpResponse_Dispose(resp);
        return;
    }

    if (CkHttpResponse_getStatusCode(resp) != 200) {
        printf("response status code = %d\n",CkHttpResponse_getStatusCode(resp));
        printf("%s\n",CkHttpResponse_bodyStr(resp));
        printf("Failed\n");
        CkPrng_Dispose(fortuna);
        CkEcc_Dispose(ec);
        CkPrivateKey_Dispose(privKey);
        CkCsr_Dispose(csr);
        CkBinData_Dispose(bdCsr);
        CkHttp_Dispose(http);
        CkCert_Dispose(tlsClientCert);
        CkBinData_Dispose(bdTlsClientCertPrivKey);
        CkPrivateKey_Dispose(tlsClientCertPrivKey);
        CkHttpResponse_Dispose(resp);
        return;
    }

    // The response is the Base64 DER of the new certificate.
    myNewCert = CkCert_Create();
    success = CkCert_LoadFromBase64(myNewCert,CkHttpResponse_bodyStr(resp));
    if (success == FALSE) {
        printf("%s\n",CkCert_lastErrorText(myNewCert));
        printf("Cert data = %s\n",CkHttpResponse_bodyStr(resp));
        printf("Failed.\n");
        CkPrng_Dispose(fortuna);
        CkEcc_Dispose(ec);
        CkPrivateKey_Dispose(privKey);
        CkCsr_Dispose(csr);
        CkBinData_Dispose(bdCsr);
        CkHttp_Dispose(http);
        CkCert_Dispose(tlsClientCert);
        CkBinData_Dispose(bdTlsClientCertPrivKey);
        CkPrivateKey_Dispose(tlsClientCertPrivKey);
        CkHttpResponse_Dispose(resp);
        CkCert_Dispose(myNewCert);
        return;
    }

    success = CkCert_SaveToFile(myNewCert,"c:/temp/qa_output/myNewCert.cer");
    if (success == FALSE) {
        printf("%s\n",CkCert_lastErrorText(myNewCert));
        printf("Failed.\n");
        CkPrng_Dispose(fortuna);
        CkEcc_Dispose(ec);
        CkPrivateKey_Dispose(privKey);
        CkCsr_Dispose(csr);
        CkBinData_Dispose(bdCsr);
        CkHttp_Dispose(http);
        CkCert_Dispose(tlsClientCert);
        CkBinData_Dispose(bdTlsClientCertPrivKey);
        CkPrivateKey_Dispose(tlsClientCertPrivKey);
        CkHttpResponse_Dispose(resp);
        CkCert_Dispose(myNewCert);
        return;
    }

    printf("Success.\n");


    CkPrng_Dispose(fortuna);
    CkEcc_Dispose(ec);
    CkPrivateKey_Dispose(privKey);
    CkCsr_Dispose(csr);
    CkBinData_Dispose(bdCsr);
    CkHttp_Dispose(http);
    CkCert_Dispose(tlsClientCert);
    CkBinData_Dispose(bdTlsClientCertPrivKey);
    CkPrivateKey_Dispose(tlsClientCertPrivKey);
    CkHttpResponse_Dispose(resp);
    CkCert_Dispose(myNewCert);

    }