Sample code for 30+ languages & platforms
DataFlex

Trust Specific Root CA Certificates

See more Certificates Examples

Demonstrates how to trust specific root CA certificates and none others.

Chilkat DataFlex Downloads

DataFlex
Use ChilkatAx-win32.pkg

Procedure Test
    Boolean iSuccess
    Handle hoTRoots
    Variant vCaCert
    Handle hoCaCert
    Handle hoHttp
    String sTemp1

    Move False To iSuccess

    // This example assumes the Chilkat API to have been previously unlocked.
    // See Global Unlock Sample for sample code.

    // This example will trust the Amazon root CA certificates provided at 
    // https://www.amazontrust.com/repository/

    // I've previously downloaded the root CA certificates to DER format.
    // Add each to the Chilkat TrustedRoots singleton object.

    Get Create (RefClass(cComChilkatTrustedRoots)) To hoTRoots
    If (Not(IsComObjectCreated(hoTRoots))) Begin
        Send CreateComObject of hoTRoots
    End

    Get Create (RefClass(cComChilkatCert)) To hoCaCert
    If (Not(IsComObjectCreated(hoCaCert))) Begin
        Send CreateComObject of hoCaCert
    End
    Get ComLoadFromFile Of hoCaCert "qa_data/certs/aws_root_ca/AmazonRootCA1.cer" To iSuccess
    If (iSuccess = False) Begin
        Get ComLastErrorText Of hoCaCert To sTemp1
        Showln sTemp1
        Procedure_Return
    End

    Get pvComObject of hoCaCert to vCaCert
    Get ComAddCert Of hoTRoots vCaCert To iSuccess

    // Continue with the others.
    // For brevity, we're not checking return values for success/failure.
    Get ComLoadFromFile Of hoCaCert "qa_data/certs/aws_root_ca/AmazonRootCA2.cer" To iSuccess
    Get pvComObject of hoCaCert to vCaCert
    Get ComAddCert Of hoTRoots vCaCert To iSuccess

    Get ComLoadFromFile Of hoCaCert "qa_data/certs/aws_root_ca/AmazonRootCA3.cer" To iSuccess
    Get pvComObject of hoCaCert to vCaCert
    Get ComAddCert Of hoTRoots vCaCert To iSuccess

    Get ComLoadFromFile Of hoCaCert "qa_data/certs/aws_root_ca/AmazonRootCA4.cer" To iSuccess
    Get pvComObject of hoCaCert to vCaCert
    Get ComAddCert Of hoTRoots vCaCert To iSuccess

    Get ComLoadFromFile Of hoCaCert "qa_data/certs/aws_root_ca/SFSRootCAG2.cer" To iSuccess
    Get pvComObject of hoCaCert to vCaCert
    Get ComAddCert Of hoTRoots vCaCert To iSuccess

    // Indicate we don't want to automatically trust the operating system's installed root CA certificates.
    // On a Windows operating system, this would be the registry-based CA certificate stores. 
    // On a Linux system, this could be /etc/ssl/certs/ca-certificates.crt, if it exists.
    Set ComTrustSystemCaRoots Of hoTRoots To False

    // Activate the trusted roots object.
    // Once activated, all Chilkat objects that use TLS connections (HTTP, REST, Socket, MailMan, IMAP, FTP, etc.)
    // will fail the TLS handshake if the server certificate is not verified and rooted with one of our explicitly trusted root certificates.
    Get ComActivate Of hoTRoots To iSuccess

    Get Create (RefClass(cComChilkatHttp)) To hoHttp
    If (Not(IsComObjectCreated(hoHttp))) Begin
        Send CreateComObject of hoHttp
    End

    // Note: We also need to explicitly indicate that server certificates are to be verified.
    Set ComRequireSslCertVerify Of hoHttp To True

    // For example, the following should fail because www.chilkatsoft.com's server certificate is not rooted in one of the explicitly trusted root CA certs.
    Get ComDownload Of hoHttp "https://www.chilkatsoft.com/helloWorld.txt" "qa_output/helloWorld.txt" To iSuccess
    If (iSuccess <> True) Begin
        // The above Download should fail.
        Get ComLastErrorText Of hoHttp To sTemp1
        Showln sTemp1

        // There should be a message in the LastErrorText indicating that we were "Unable to build certificate chain to root.."
    End

    // However, we should be able to make TLS connections to good.sca1a.amazontrust.com
    Get ComDownload Of hoHttp "https://good.sca1a.amazontrust.com/" "qa_output/valid.html" To iSuccess
    If (iSuccess <> True) Begin
        Get ComLastErrorText Of hoHttp To sTemp1
        Showln sTemp1
        Procedure_Return
    End

    // We can still examine the LastErrorText and we'll find this message within:  
    // "The public key was successfully validated against the public key of the explicitly trusted root cert."
    Get ComLastErrorText Of hoHttp To sTemp1
    Showln sTemp1

    Showln "Success!"


End_Procedure