Sample code for 30+ languages & platforms
Objective-C

Renew a DigiCert Certificate from an EST-enabled profile

See more Certificates Examples

Demonstrates how to renew a certificate from an EST-enabled profile in DigiCert​​®​​ Trust Lifecycle Manager. (The certificate must be within the renewal window configured in the certificate profile. The CSR must have same Subject DN values as the original certificate.)

Chilkat Objective-C Downloads

Objective-C
#import <CkoPrng.h>
#import <NSString.h>
#import <CkoEcc.h>
#import <CkoPrivateKey.h>
#import <CkoCsr.h>
#import <CkoBinData.h>
#import <CkoHttp.h>
#import <CkoCert.h>
#import <CkoHttpResponse.h>

BOOL success = NO;

// This example requires the Chilkat API to have been previously unlocked.
// See Global Unlock Sample for sample code.

// The example below duplicates the following OpenSSL commands:
// 
// # Name of certificate as argument 1
// 
// # Make new key
// openssl ecparam -name prime256v1 -genkey -noout -out ${1}.key.pem
// 
// # Make csr
// openssl req -new -sha256 -key ${1}.key.pem -out ${1}.p10.csr -subj "/CN=${1}"
// 
// # Request new cert
// curl -v --cacert data/ca.pem --cert data/${1}.pem --key data/${1}.key.pem 
//     --data-binary @${1}.p10.csr -o ${1}.p7.b64 -H "Content-Type: application/pkcs10" https://clientauth.demo.one.digicert.com/.well-known/est/IOT/simplereenroll
// 
// # Convert to PEM
// openssl base64 -d -in ${1}.p7.b64 | openssl pkcs7 -inform DER -outform PEM -print_certs -out ${1}.pem

// ------------------------------------------------------------------------------------------------------------------

// Create a Fortuna PRNG and seed it with system entropy.
// This will be our source of random data for generating the ECC private key.
CkoPrng *fortuna = [[CkoPrng alloc] init];
NSString *entropy = [fortuna GetEntropy: [NSNumber numberWithInt: 32] encoding: @"base64"];
success = [fortuna AddEntropy: entropy encoding: @"base64"];

CkoEcc *ec = [[CkoEcc alloc] init];

// Generate a random EC private key on the prime256v1 curve.
CkoPrivateKey *privKey = [[CkoPrivateKey alloc] init];
success = [ec GenKey: @"prime256v1" prng: fortuna privKey: privKey];
if (success != YES) {
    NSLog(@"%@",ec.LastErrorText);
    return;
}

// Create the CSR object and set properties.
CkoCsr *csr = [[CkoCsr alloc] init];

// Specify your CN
csr.CommonName = @"mysubdomain.mydomain.com";

// Create the CSR using the private key.
CkoBinData *bdCsr = [[CkoBinData alloc] init];
success = [csr GenCsrBd: privKey csrData: bdCsr];
if (success == NO) {
    NSLog(@"%@",csr.LastErrorText);
    return;
}

// Save the private key and CSR to files.
[privKey SavePkcs8EncryptedPemFile: @"password" path: @"c:/temp/qa_output/ec_privkey.pem"];

[bdCsr WriteFile: @"c:/temp/qa_output/csr.pem"];

// ----------------------------------------------------------------------
// Now do the CURL request to POST the CSR and get the new certificate.

CkoHttp *http = [[CkoHttp alloc] init];

CkoCert *tlsClientCert = [[CkoCert alloc] init];
success = [tlsClientCert LoadFromFile: @"data/myTlsClientCert.pem"];
if (success == NO) {
    NSLog(@"%@",tlsClientCert.LastErrorText);
    return;
}

CkoBinData *bdTlsClientCertPrivKey = [[CkoBinData alloc] init];
success = [bdTlsClientCertPrivKey LoadFile: @"data/myTlsClientCert.key.pem"];
if (success == NO) {
    NSLog(@"%@",@"Failed to load data/myTlsClientCert.key.pem");
    return;
}

CkoPrivateKey *tlsClientCertPrivKey = [[CkoPrivateKey alloc] init];
success = [tlsClientCertPrivKey LoadAnyFormat: bdTlsClientCertPrivKey password: @""];
if (success == NO) {
    NSLog(@"%@",tlsClientCertPrivKey.LastErrorText);
    return;
}

success = [tlsClientCert SetPrivateKey: tlsClientCertPrivKey];
if (success == NO) {
    NSLog(@"%@",tlsClientCert.LastErrorText);
    return;
}

[http SetSslClientCert: tlsClientCert];

http.RequireSslCertVerify = YES;

// The body of the HTTP request contains the binary CSR.
CkoHttpResponse *resp = [[CkoHttpResponse alloc] init];
NSString *url = @"https://clientauth.demo.one.digicert.com/.well-known/est/IOT/simplereenroll";
success = [http HttpBd: @"POST" url: url bd: bdCsr contentType: @"application/pkcs10" response: resp];
if (success == NO) {
    NSLog(@"%@",http.LastErrorText);
    return;
}

if ([resp.StatusCode intValue] != 200) {
    NSLog(@"%@%d",@"response status code = ",[resp.StatusCode intValue]);
    NSLog(@"%@",resp.BodyStr);
    NSLog(@"%@",@"Failed");
    return;
}

// The response is the Base64 DER of the new certificate.
CkoCert *myNewCert = [[CkoCert alloc] init];
success = [myNewCert LoadFromBase64: resp.BodyStr];
if (success == NO) {
    NSLog(@"%@",myNewCert.LastErrorText);
    NSLog(@"%@%@",@"Cert data = ",resp.BodyStr);
    NSLog(@"%@",@"Failed.");
    return;
}

success = [myNewCert SaveToFile: @"c:/temp/qa_output/myNewCert.cer"];
if (success == NO) {
    NSLog(@"%@",myNewCert.LastErrorText);
    NSLog(@"%@",@"Failed.");
    return;
}

NSLog(@"%@",@"Success.");