C
C
Renew a DigiCert Certificate from an EST-enabled profile
See more Certificates Examples
Demonstrates how to renew a certificate from an EST-enabled profile in DigiCert® Trust Lifecycle Manager. (The certificate must be within the renewal window configured in the certificate profile. The CSR must have same Subject DN values as the original certificate.)Chilkat C Downloads
#include <C_CkPrng.h>
#include <C_CkEcc.h>
#include <C_CkPrivateKey.h>
#include <C_CkCsr.h>
#include <C_CkBinData.h>
#include <C_CkHttp.h>
#include <C_CkCert.h>
#include <C_CkHttpResponse.h>
void ChilkatSample(void)
{
BOOL success;
HCkPrng fortuna;
const char *entropy;
HCkEcc ec;
HCkPrivateKey privKey;
HCkCsr csr;
HCkBinData bdCsr;
HCkHttp http;
HCkCert tlsClientCert;
HCkBinData bdTlsClientCertPrivKey;
HCkPrivateKey tlsClientCertPrivKey;
HCkHttpResponse resp;
const char *url;
HCkCert myNewCert;
success = FALSE;
// This example requires the Chilkat API to have been previously unlocked.
// See Global Unlock Sample for sample code.
// The example below duplicates the following OpenSSL commands:
//
// # Name of certificate as argument 1
//
// # Make new key
// openssl ecparam -name prime256v1 -genkey -noout -out ${1}.key.pem
//
// # Make csr
// openssl req -new -sha256 -key ${1}.key.pem -out ${1}.p10.csr -subj "/CN=${1}"
//
// # Request new cert
// curl -v --cacert data/ca.pem --cert data/${1}.pem --key data/${1}.key.pem
// --data-binary @${1}.p10.csr -o ${1}.p7.b64 -H "Content-Type: application/pkcs10" https://clientauth.demo.one.digicert.com/.well-known/est/IOT/simplereenroll
//
// # Convert to PEM
// openssl base64 -d -in ${1}.p7.b64 | openssl pkcs7 -inform DER -outform PEM -print_certs -out ${1}.pem
// ------------------------------------------------------------------------------------------------------------------
// Create a Fortuna PRNG and seed it with system entropy.
// This will be our source of random data for generating the ECC private key.
fortuna = CkPrng_Create();
entropy = CkPrng_getEntropy(fortuna,32,"base64");
success = CkPrng_AddEntropy(fortuna,entropy,"base64");
ec = CkEcc_Create();
// Generate a random EC private key on the prime256v1 curve.
privKey = CkPrivateKey_Create();
success = CkEcc_GenKey(ec,"prime256v1",fortuna,privKey);
if (success != TRUE) {
printf("%s\n",CkEcc_lastErrorText(ec));
CkPrng_Dispose(fortuna);
CkEcc_Dispose(ec);
CkPrivateKey_Dispose(privKey);
return;
}
// Create the CSR object and set properties.
csr = CkCsr_Create();
// Specify your CN
CkCsr_putCommonName(csr,"mysubdomain.mydomain.com");
// Create the CSR using the private key.
bdCsr = CkBinData_Create();
success = CkCsr_GenCsrBd(csr,privKey,bdCsr);
if (success == FALSE) {
printf("%s\n",CkCsr_lastErrorText(csr));
CkPrng_Dispose(fortuna);
CkEcc_Dispose(ec);
CkPrivateKey_Dispose(privKey);
CkCsr_Dispose(csr);
CkBinData_Dispose(bdCsr);
return;
}
// Save the private key and CSR to files.
CkPrivateKey_SavePkcs8EncryptedPemFile(privKey,"password","c:/temp/qa_output/ec_privkey.pem");
CkBinData_WriteFile(bdCsr,"c:/temp/qa_output/csr.pem");
// ----------------------------------------------------------------------
// Now do the CURL request to POST the CSR and get the new certificate.
http = CkHttp_Create();
tlsClientCert = CkCert_Create();
success = CkCert_LoadFromFile(tlsClientCert,"data/myTlsClientCert.pem");
if (success == FALSE) {
printf("%s\n",CkCert_lastErrorText(tlsClientCert));
CkPrng_Dispose(fortuna);
CkEcc_Dispose(ec);
CkPrivateKey_Dispose(privKey);
CkCsr_Dispose(csr);
CkBinData_Dispose(bdCsr);
CkHttp_Dispose(http);
CkCert_Dispose(tlsClientCert);
return;
}
bdTlsClientCertPrivKey = CkBinData_Create();
success = CkBinData_LoadFile(bdTlsClientCertPrivKey,"data/myTlsClientCert.key.pem");
if (success == FALSE) {
printf("Failed to load data/myTlsClientCert.key.pem\n");
CkPrng_Dispose(fortuna);
CkEcc_Dispose(ec);
CkPrivateKey_Dispose(privKey);
CkCsr_Dispose(csr);
CkBinData_Dispose(bdCsr);
CkHttp_Dispose(http);
CkCert_Dispose(tlsClientCert);
CkBinData_Dispose(bdTlsClientCertPrivKey);
return;
}
tlsClientCertPrivKey = CkPrivateKey_Create();
success = CkPrivateKey_LoadAnyFormat(tlsClientCertPrivKey,bdTlsClientCertPrivKey,"");
if (success == FALSE) {
printf("%s\n",CkPrivateKey_lastErrorText(tlsClientCertPrivKey));
CkPrng_Dispose(fortuna);
CkEcc_Dispose(ec);
CkPrivateKey_Dispose(privKey);
CkCsr_Dispose(csr);
CkBinData_Dispose(bdCsr);
CkHttp_Dispose(http);
CkCert_Dispose(tlsClientCert);
CkBinData_Dispose(bdTlsClientCertPrivKey);
CkPrivateKey_Dispose(tlsClientCertPrivKey);
return;
}
success = CkCert_SetPrivateKey(tlsClientCert,tlsClientCertPrivKey);
if (success == FALSE) {
printf("%s\n",CkCert_lastErrorText(tlsClientCert));
CkPrng_Dispose(fortuna);
CkEcc_Dispose(ec);
CkPrivateKey_Dispose(privKey);
CkCsr_Dispose(csr);
CkBinData_Dispose(bdCsr);
CkHttp_Dispose(http);
CkCert_Dispose(tlsClientCert);
CkBinData_Dispose(bdTlsClientCertPrivKey);
CkPrivateKey_Dispose(tlsClientCertPrivKey);
return;
}
CkHttp_SetSslClientCert(http,tlsClientCert);
CkHttp_putRequireSslCertVerify(http,TRUE);
// The body of the HTTP request contains the binary CSR.
resp = CkHttpResponse_Create();
url = "https://clientauth.demo.one.digicert.com/.well-known/est/IOT/simplereenroll";
success = CkHttp_HttpBd(http,"POST",url,bdCsr,"application/pkcs10",resp);
if (success == FALSE) {
printf("%s\n",CkHttp_lastErrorText(http));
CkPrng_Dispose(fortuna);
CkEcc_Dispose(ec);
CkPrivateKey_Dispose(privKey);
CkCsr_Dispose(csr);
CkBinData_Dispose(bdCsr);
CkHttp_Dispose(http);
CkCert_Dispose(tlsClientCert);
CkBinData_Dispose(bdTlsClientCertPrivKey);
CkPrivateKey_Dispose(tlsClientCertPrivKey);
CkHttpResponse_Dispose(resp);
return;
}
if (CkHttpResponse_getStatusCode(resp) != 200) {
printf("response status code = %d\n",CkHttpResponse_getStatusCode(resp));
printf("%s\n",CkHttpResponse_bodyStr(resp));
printf("Failed\n");
CkPrng_Dispose(fortuna);
CkEcc_Dispose(ec);
CkPrivateKey_Dispose(privKey);
CkCsr_Dispose(csr);
CkBinData_Dispose(bdCsr);
CkHttp_Dispose(http);
CkCert_Dispose(tlsClientCert);
CkBinData_Dispose(bdTlsClientCertPrivKey);
CkPrivateKey_Dispose(tlsClientCertPrivKey);
CkHttpResponse_Dispose(resp);
return;
}
// The response is the Base64 DER of the new certificate.
myNewCert = CkCert_Create();
success = CkCert_LoadFromBase64(myNewCert,CkHttpResponse_bodyStr(resp));
if (success == FALSE) {
printf("%s\n",CkCert_lastErrorText(myNewCert));
printf("Cert data = %s\n",CkHttpResponse_bodyStr(resp));
printf("Failed.\n");
CkPrng_Dispose(fortuna);
CkEcc_Dispose(ec);
CkPrivateKey_Dispose(privKey);
CkCsr_Dispose(csr);
CkBinData_Dispose(bdCsr);
CkHttp_Dispose(http);
CkCert_Dispose(tlsClientCert);
CkBinData_Dispose(bdTlsClientCertPrivKey);
CkPrivateKey_Dispose(tlsClientCertPrivKey);
CkHttpResponse_Dispose(resp);
CkCert_Dispose(myNewCert);
return;
}
success = CkCert_SaveToFile(myNewCert,"c:/temp/qa_output/myNewCert.cer");
if (success == FALSE) {
printf("%s\n",CkCert_lastErrorText(myNewCert));
printf("Failed.\n");
CkPrng_Dispose(fortuna);
CkEcc_Dispose(ec);
CkPrivateKey_Dispose(privKey);
CkCsr_Dispose(csr);
CkBinData_Dispose(bdCsr);
CkHttp_Dispose(http);
CkCert_Dispose(tlsClientCert);
CkBinData_Dispose(bdTlsClientCertPrivKey);
CkPrivateKey_Dispose(tlsClientCertPrivKey);
CkHttpResponse_Dispose(resp);
CkCert_Dispose(myNewCert);
return;
}
printf("Success.\n");
CkPrng_Dispose(fortuna);
CkEcc_Dispose(ec);
CkPrivateKey_Dispose(privKey);
CkCsr_Dispose(csr);
CkBinData_Dispose(bdCsr);
CkHttp_Dispose(http);
CkCert_Dispose(tlsClientCert);
CkBinData_Dispose(bdTlsClientCertPrivKey);
CkPrivateKey_Dispose(tlsClientCertPrivKey);
CkHttpResponse_Dispose(resp);
CkCert_Dispose(myNewCert);
}