|
Chilkat • HOME • .NET Core C# • Android™ • AutoIt • C • C# • C++ • Chilkat2-Python • CkPython • Classic ASP • DataFlex • Delphi ActiveX • Delphi DLL • Go • Java • Lianja • Mono C# • Node.js • Objective-C • PHP ActiveX • PHP Extension • Perl • PowerBuilder • PowerShell • PureBasic • Ruby • SQL Server • Swift 2 • Swift 3,4,5... • Tcl • Unicode C • Unicode C++ • VB.NET • VBScript • Visual Basic 6.0 • Visual FoxPro • Xojo Plugin
(Objective-C) Renew a DigiCert Certificate from an EST-enabled profileDemonstrates how to renew a certificate from an EST-enabled profile in DigiCert® Trust Lifecycle Manager. (The certificate must be within the renewal window configured in the certificate profile. The CSR must have same Subject DN values as the original certificate.)
#import <CkoPrng.h> #import <NSString.h> #import <CkoEcc.h> #import <CkoPrivateKey.h> #import <CkoCsr.h> #import <CkoBinData.h> #import <CkoHttp.h> #import <CkoCert.h> #import <CkoHttpResponse.h> // This example requires the Chilkat API to have been previously unlocked. // See Global Unlock Sample for sample code. // The example below duplicates the following OpenSSL commands: // // # Name of certificate as argument 1 // // # Make new key // openssl ecparam -name prime256v1 -genkey -noout -out ${1}.key.pem // // # Make csr // openssl req -new -sha256 -key ${1}.key.pem -out ${1}.p10.csr -subj "/CN=${1}" // // # Request new cert // curl -v --cacert data/ca.pem --cert data/${1}.pem --key data/${1}.key.pem // --data-binary @${1}.p10.csr -o ${1}.p7.b64 -H "Content-Type: application/pkcs10" https://clientauth.demo.one.digicert.com/.well-known/est/IOT/simplereenroll // // # Convert to PEM // openssl base64 -d -in ${1}.p7.b64 | openssl pkcs7 -inform DER -outform PEM -print_certs -out ${1}.pem // ------------------------------------------------------------------------------------------------------------------ // Create a Fortuna PRNG and seed it with system entropy. // This will be our source of random data for generating the ECC private key. CkoPrng *fortuna = [[CkoPrng alloc] init]; NSString *entropy = [fortuna GetEntropy: [NSNumber numberWithInt: 32] encoding: @"base64"]; BOOL success = [fortuna AddEntropy: entropy encoding: @"base64"]; CkoEcc *ec = [[CkoEcc alloc] init]; // Generate a random EC private key on the prime256v1 curve. CkoPrivateKey *privKey = [ec GenEccKey: @"prime256v1" prng: fortuna]; if (ec.LastMethodSuccess != YES) { NSLog(@"%@",ec.LastErrorText); return; } // Create the CSR object and set properties. CkoCsr *csr = [[CkoCsr alloc] init]; // Specify your CN csr.CommonName = @"mysubdomain.mydomain.com"; // Create the CSR using the private key. CkoBinData *bdCsr = [[CkoBinData alloc] init]; success = [csr GenCsrBd: privKey csrData: bdCsr]; if (success == NO) { NSLog(@"%@",csr.LastErrorText); return; } // Save the private key and CSR to files. [privKey SavePkcs8EncryptedPemFile: @"password" path: @"c:/temp/qa_output/ec_privkey.pem"]; [bdCsr WriteFile: @"c:/temp/qa_output/csr.pem"]; // ---------------------------------------------------------------------- // Now do the CURL request to POST the CSR and get the new certificate. CkoHttp *http = [[CkoHttp alloc] init]; CkoCert *tlsClientCert = [[CkoCert alloc] init]; success = [tlsClientCert LoadFromFile: @"data/myTlsClientCert.pem"]; if (success == NO) { NSLog(@"%@",tlsClientCert.LastErrorText); return; } CkoBinData *bdTlsClientCertPrivKey = [[CkoBinData alloc] init]; success = [bdTlsClientCertPrivKey LoadFile: @"data/myTlsClientCert.key.pem"]; if (success == NO) { NSLog(@"%@",@"Failed to load data/myTlsClientCert.key.pem"); return; } CkoPrivateKey *tlsClientCertPrivKey = [[CkoPrivateKey alloc] init]; success = [tlsClientCertPrivKey LoadAnyFormat: bdTlsClientCertPrivKey password: @""]; if (success == NO) { NSLog(@"%@",tlsClientCertPrivKey.LastErrorText); return; } success = [tlsClientCert SetPrivateKey: tlsClientCertPrivKey]; if (success == NO) { NSLog(@"%@",tlsClientCert.LastErrorText); return; } [http SetSslClientCert: tlsClientCert]; http.RequireSslCertVerify = YES; // The body of the HTTP request contains the binary CSR. CkoHttpResponse *resp = [http PBinaryBd: @"POST" url: @"https://clientauth.demo.one.digicert.com/.well-known/est/IOT/simplereenroll" data: bdCsr contentType: @"application/pkcs10" md5: NO gzip: NO]; if (http.LastMethodSuccess == NO) { NSLog(@"%@",http.LastErrorText); return; } if ([resp.StatusCode intValue] != 200) { NSLog(@"%@%d",@"response status code = ",[resp.StatusCode intValue]); NSLog(@"%@",resp.BodyStr); NSLog(@"%@",@"Failed"); return; } // The response is the Base64 DER of the new certificate. CkoCert *myNewCert = [[CkoCert alloc] init]; success = [myNewCert LoadFromBase64: resp.BodyStr]; if (success == NO) { NSLog(@"%@",myNewCert.LastErrorText); NSLog(@"%@%@",@"Cert data = ",resp.BodyStr); NSLog(@"%@",@"Failed."); return; } success = [myNewCert SaveToFile: @"c:/temp/qa_output/myNewCert.cer"]; if (success == NO) { NSLog(@"%@",myNewCert.LastErrorText); NSLog(@"%@",@"Failed."); return; } NSLog(@"%@",@"Success."); |
||||
© 2000-2024 Chilkat Software, Inc. All Rights Reserved.