(Delphi ActiveX) Generate a CSR with keyUsage, extKeyUsage, and other Extensions

See more CSR Examples

Demonstrates how to generate a CSR containing a 1.2.840.113549.1.9.14 extensionRequest with the following extensions:

• 1.3.6.1.4.1.311.20.2 enrollCerttypeExtension
• 2.5.29.15 keyUsage
• 2.5.29.37 extKeyUsage
• 2.5.29.14 subjectKeyIdentifier

Chilkat for Delphi Downloads Chilkat ActiveX DLL for Delphi Chilkat non-ActiveX DLL for Delphi * The examples here use the ActiveX DLL.

uses
    Winapi.Windows, Winapi.Messages, System.SysUtils, System.Variants, System.Classes, Vcl.Graphics,
    Vcl.Controls, Vcl.Forms, Vcl.Dialogs, Vcl.StdCtrls, Chilkat_TLB;

...

procedure TForm1.Button1Click(Sender: TObject);
var
ecc: TChilkatEcc;
prng: TChilkatPrng;
privKey: IPrivateKey;
csr: TChilkatCsr;
s: WideString;
bdTemp: TChilkatBinData;
s_base64_utf16be: WideString;
xml: TChilkatXml;
pubKey: IPublicKey;
bdPubKeyDer: TChilkatBinData;
ski: WideString;
csrPem: WideString;

begin
// This requires the Chilkat API to have been previously unlocked.
// See Global Unlock Sample for sample code.

// This example will generate a secp256r1 ECDSA key for the CSR.
ecc := TChilkatEcc.Create(Self);
prng := TChilkatPrng.Create(Self);

privKey := ecc.GenEccKey('secp256r1',prng.ControlInterface);
if (ecc.LastMethodSuccess = 0) then
  begin
    Memo1.Lines.Add('Failed to generate a new ECDSA private key.');
    Exit;
  end;

csr := TChilkatCsr.Create(Self);

// Add common CSR fields:
csr.CommonName := 'mysubdomain.mydomain.com';
csr.Country := 'GB';
csr.State := 'Yorks';
csr.Locality := 'York';
csr.Company := 'Internet Widgits Pty Ltd';
csr.EmailAddress := 'support@mydomain.com';

// Add the following 1.2.840.113549.1.9.14 extensionRequest
// Note: The easiest way to know the content and format of the XML to be added is to examine
// a pre-existing CSR with the same desired extensionRequest.  You can use Chilkat to
// get the extensionRequest from an existing CSR. 

// 
// Here is a sample extension request:

// <?xml version="1.0" encoding="utf-8"?>
// <set>
//     <sequence>
//         <sequence>
//             <oid>1.3.6.1.4.1.311.20.2</oid>
//             <asnOctets>
//                 <universal tag="30" constructed="0">AEUAbgBkAEUAbgB0AGkAdAB5AEMAbABpAGUAbgB0AEEAdQB0AGgAQwBlAHIAdABpAGYAaQBjAGEAdABl
// AF8AQwBTAFIAUABhAHMAcwB0AGgAcgBvAHUAZwBoAC8AVgAx</universal>
//             </asnOctets>
//         </sequence>
//         <sequence>
//             <oid>2.5.29.15</oid>
//             <bool>1</bool>
//             <asnOctets>
//                 <bits n="3">A0</bits>
//             </asnOctets>
//         </sequence>
//         <sequence>
//             <oid>2.5.29.37</oid>
//             <asnOctets>
//                 <sequence>
//                     <oid>1.3.6.1.5.5.7.3.3</oid>
//                 </sequence>
//             </asnOctets>
//         </sequence>
//         <sequence>
//             <oid>2.5.29.14</oid>
//             <asnOctets>
//                 <octets>MCzBMQAViXBz8IDt8LsgmJxJ4Xg=</octets>
//             </asnOctets>
//         </sequence>
//     </sequence>
// </set>

// Use this online tool to generate code from sample XML: 
// Generate Code to Create XML

// A few notes:
// The string "AEUAbgBkAEUAbgB0AGkAdAB5AEMAbABpAGUAbgB0AEEAdQB0AGgAQwBlAHIAdABpAGYAaQBjAGEAdABlAF8AQwBTAFIAUABhAHMAcwB0AGgAcgBvAHUAZwBoAC8AVgAx"
// is the base64 encoding of the utf-16be byte representation of the string "EndEntityClientAuthCertificate_CSRPassthrough/V1"

s := 'EndEntityClientAuthCertificate_CSRPassthrough/V1';
bdTemp := TChilkatBinData.Create(Self);
bdTemp.AppendString(s,'utf-16be');
s_base64_utf16be := bdTemp.GetEncoded('base64');
// The string should be "AEUA....."
Memo1.Lines.Add(s_base64_utf16be);

// Here's the code to generate the above extension request.

xml := TChilkatXml.Create(Self);
xml.Tag := 'set';
xml.UpdateChildContent('sequence|sequence|oid','1.3.6.1.4.1.311.20.2');
xml.UpdateAttrAt('sequence|sequence|asnOctets|universal',1,'tag','30');
xml.UpdateAttrAt('sequence|sequence|asnOctets|universal',1,'constructed','0');
xml.UpdateChildContent('sequence|sequence|asnOctets|universal',s_base64_utf16be);
xml.UpdateChildContent('sequence|sequence[1]|oid','2.5.29.15');
xml.UpdateChildContent('sequence|sequence[1]|bool','1');
xml.UpdateAttrAt('sequence|sequence[1]|asnOctets|bits',1,'n','3');
// A0 is hex for decimal 160.
xml.UpdateChildContent('sequence|sequence[1]|asnOctets|bits','A0');
xml.UpdateChildContent('sequence|sequence[2]|oid','2.5.29.37');
xml.UpdateChildContent('sequence|sequence[2]|asnOctets|sequence|oid','1.3.6.1.5.5.7.3.3');

// This is the subjectKeyIdentifier extension.
// The string "MCzBMQAViXBz8IDt8LsgmJxJ4Xg=" is base64 that decodes to 20 bytes, which is a SHA1 hash.
// This is simply a hash of the DER of the public key.

pubKey := privKey.GetPublicKey();
bdPubKeyDer := TChilkatBinData.Create(Self);
bdPubKeyDer.AppendEncoded(pubKey.GetEncoded(1,'base64'),'base64');
ski := bdPubKeyDer.GetHash('sha1','base64');

xml.UpdateChildContent('sequence|sequence[3]|oid','2.5.29.14');
xml.UpdateChildContent('sequence|sequence[3]|asnOctets|octets',ski);

// Add the extension request to the CSR
csr.SetExtensionRequest(xml.ControlInterface);

// Generate the CSR with the extension request
csrPem := csr.GenCsrPem(privKey);
if (csr.LastMethodSuccess = 0) then
  begin
    Memo1.Lines.Add(csr.LastErrorText);

    Exit;
  end;

Memo1.Lines.Add(csrPem);
end;