Objective-C
Objective-C
Renew a DigiCert Certificate from an EST-enabled profile
See more Certificates Examples
Demonstrates how to renew a certificate from an EST-enabled profile in DigiCert® Trust Lifecycle Manager. (The certificate must be within the renewal window configured in the certificate profile. The CSR must have same Subject DN values as the original certificate.)Chilkat Objective-C Downloads
#import <CkoPrng.h>
#import <NSString.h>
#import <CkoEcc.h>
#import <CkoPrivateKey.h>
#import <CkoCsr.h>
#import <CkoBinData.h>
#import <CkoHttp.h>
#import <CkoCert.h>
#import <CkoHttpResponse.h>
BOOL success = NO;
// This example requires the Chilkat API to have been previously unlocked.
// See Global Unlock Sample for sample code.
// The example below duplicates the following OpenSSL commands:
//
// # Name of certificate as argument 1
//
// # Make new key
// openssl ecparam -name prime256v1 -genkey -noout -out ${1}.key.pem
//
// # Make csr
// openssl req -new -sha256 -key ${1}.key.pem -out ${1}.p10.csr -subj "/CN=${1}"
//
// # Request new cert
// curl -v --cacert data/ca.pem --cert data/${1}.pem --key data/${1}.key.pem
// --data-binary @${1}.p10.csr -o ${1}.p7.b64 -H "Content-Type: application/pkcs10" https://clientauth.demo.one.digicert.com/.well-known/est/IOT/simplereenroll
//
// # Convert to PEM
// openssl base64 -d -in ${1}.p7.b64 | openssl pkcs7 -inform DER -outform PEM -print_certs -out ${1}.pem
// ------------------------------------------------------------------------------------------------------------------
// Create a Fortuna PRNG and seed it with system entropy.
// This will be our source of random data for generating the ECC private key.
CkoPrng *fortuna = [[CkoPrng alloc] init];
NSString *entropy = [fortuna GetEntropy: [NSNumber numberWithInt: 32] encoding: @"base64"];
success = [fortuna AddEntropy: entropy encoding: @"base64"];
CkoEcc *ec = [[CkoEcc alloc] init];
// Generate a random EC private key on the prime256v1 curve.
CkoPrivateKey *privKey = [[CkoPrivateKey alloc] init];
success = [ec GenKey: @"prime256v1" prng: fortuna privKey: privKey];
if (success != YES) {
NSLog(@"%@",ec.LastErrorText);
return;
}
// Create the CSR object and set properties.
CkoCsr *csr = [[CkoCsr alloc] init];
// Specify your CN
csr.CommonName = @"mysubdomain.mydomain.com";
// Create the CSR using the private key.
CkoBinData *bdCsr = [[CkoBinData alloc] init];
success = [csr GenCsrBd: privKey csrData: bdCsr];
if (success == NO) {
NSLog(@"%@",csr.LastErrorText);
return;
}
// Save the private key and CSR to files.
[privKey SavePkcs8EncryptedPemFile: @"password" path: @"c:/temp/qa_output/ec_privkey.pem"];
[bdCsr WriteFile: @"c:/temp/qa_output/csr.pem"];
// ----------------------------------------------------------------------
// Now do the CURL request to POST the CSR and get the new certificate.
CkoHttp *http = [[CkoHttp alloc] init];
CkoCert *tlsClientCert = [[CkoCert alloc] init];
success = [tlsClientCert LoadFromFile: @"data/myTlsClientCert.pem"];
if (success == NO) {
NSLog(@"%@",tlsClientCert.LastErrorText);
return;
}
CkoBinData *bdTlsClientCertPrivKey = [[CkoBinData alloc] init];
success = [bdTlsClientCertPrivKey LoadFile: @"data/myTlsClientCert.key.pem"];
if (success == NO) {
NSLog(@"%@",@"Failed to load data/myTlsClientCert.key.pem");
return;
}
CkoPrivateKey *tlsClientCertPrivKey = [[CkoPrivateKey alloc] init];
success = [tlsClientCertPrivKey LoadAnyFormat: bdTlsClientCertPrivKey password: @""];
if (success == NO) {
NSLog(@"%@",tlsClientCertPrivKey.LastErrorText);
return;
}
success = [tlsClientCert SetPrivateKey: tlsClientCertPrivKey];
if (success == NO) {
NSLog(@"%@",tlsClientCert.LastErrorText);
return;
}
[http SetSslClientCert: tlsClientCert];
http.RequireSslCertVerify = YES;
// The body of the HTTP request contains the binary CSR.
CkoHttpResponse *resp = [[CkoHttpResponse alloc] init];
NSString *url = @"https://clientauth.demo.one.digicert.com/.well-known/est/IOT/simplereenroll";
success = [http HttpBd: @"POST" url: url bd: bdCsr contentType: @"application/pkcs10" response: resp];
if (success == NO) {
NSLog(@"%@",http.LastErrorText);
return;
}
if ([resp.StatusCode intValue] != 200) {
NSLog(@"%@%d",@"response status code = ",[resp.StatusCode intValue]);
NSLog(@"%@",resp.BodyStr);
NSLog(@"%@",@"Failed");
return;
}
// The response is the Base64 DER of the new certificate.
CkoCert *myNewCert = [[CkoCert alloc] init];
success = [myNewCert LoadFromBase64: resp.BodyStr];
if (success == NO) {
NSLog(@"%@",myNewCert.LastErrorText);
NSLog(@"%@%@",@"Cert data = ",resp.BodyStr);
NSLog(@"%@",@"Failed.");
return;
}
success = [myNewCert SaveToFile: @"c:/temp/qa_output/myNewCert.cer"];
if (success == NO) {
NSLog(@"%@",myNewCert.LastErrorText);
NSLog(@"%@",@"Failed.");
return;
}
NSLog(@"%@",@"Success.");