Objective-C
Objective-C
Duplicate openssl req -newkey rsa:2048 -nodes -keyout mydomain.pem -out mydomain.csr
See more OpenSSL Examples
Demonstrates how to duplicate this OpenSSL command:openssl req -newkey rsa:2048 -nodes -keyout mydomain.pem -out mydomain.csr
This command creates 2 files:
- mydomain.csr: this is the file to send to DigiCert or Let's Encrypt (or any other CA)
- mydomain.pem: this is the private key of the domain.
The second file is needed to pair with the certificate that will later be received from the CA.
Chilkat Objective-C Downloads
#import <CkoRsa.h>
#import <CkoPrivateKey.h>
#import <CkoXml.h>
#import <NSString.h>
#import <CkoAsn.h>
#import <CkoBinData.h>
BOOL success = NO;
// This example requires the Chilkat API to have been previously unlocked.
// See Global Unlock Sample for sample code.
CkoRsa *rsa = [[CkoRsa alloc] init];
// Generate a 2048-bit key. Chilkat RSA supports
// key sizes ranging from 512 bits to 8192 bits.
CkoPrivateKey *privKey = [[CkoPrivateKey alloc] init];
success = [rsa GenKey: [NSNumber numberWithInt: 2048] privKey: privKey];
if (success == NO) {
NSLog(@"%@",rsa.LastErrorText);
return;
}
[rsa UsePrivateKey: privKey];
// Save the private key to unencrypted PKCS8 PEM
success = [privKey SavePkcs8PemFile: @"mydomain.pem"];
// (alternatively) Save the private key to encrypted PKCS8 PEM
success = [privKey SavePkcs8EncryptedPemFile: @"myPassword" path: @"mydomain_enc.pem"];
// We'll need the private key's modulus for the CSR.
// The modulus is not something that needs to be protected. Most people don't realize
// that a public key is actually just a subset of the private key. The public parts of
// an RSA private key are the modulus and exponent. The exponent is always 65537.
CkoXml *privKeyXml = [[CkoXml alloc] init];
success = [privKeyXml LoadXml: [privKey GetXml]];
// Get the modulus in base64 format:
NSString *keyModulus = [privKeyXml GetChildContent: @"Modulus"];
// --------------------------------------------------------------------------------
// Now build the CSR using Chilkat's ASN.1 API.
// The keyModulus will be embedded within the ASN.1.
// A new ASN.1 object is automatically a SEQUENCE.
// Given that the CSR's root item is a SEQUENCE, we can use
// this as the root of our CSR.
CkoAsn *asnRoot = [[CkoAsn alloc] init];
// Beneath the root, we have a SEQUENCE (the certificate request info),
// another SEQUENCE (the algorithm identifier), and a BITSTRING (the signature data)
success = [asnRoot AppendSequence];
success = [asnRoot AppendSequence];
// ----------------------------------
// Build the Certificate Request Info
// ----------------------------------
CkoAsn *asnCertReqInfo = [asnRoot GetSubItem: [NSNumber numberWithInt: 0]];
success = [asnCertReqInfo AppendInt: [NSNumber numberWithInt: 0]];
// Build the Subject part of the Certificate Request Info
CkoAsn *asnCertSubject = [asnCertReqInfo AppendSequenceR];
// Add each subject part..
CkoAsn *asnTemp = [asnCertSubject AppendSetR];
success = [asnTemp AppendSequence2];
// AppendSequence2 updates the internal reference to the newly appended SEQUENCE.
// The OID and printable string are added to the SEQUENCE.
success = [asnTemp AppendOid: @"2.5.4.6"];
success = [asnTemp AppendString: @"printable" value: @"US"];
asnTemp = [asnCertSubject AppendSetR];
success = [asnTemp AppendSequence2];
success = [asnTemp AppendOid: @"2.5.4.8"];
success = [asnTemp AppendString: @"utf8" value: @"Utah"];
asnTemp = [asnCertSubject AppendSetR];
success = [asnTemp AppendSequence2];
success = [asnTemp AppendOid: @"2.5.4.7"];
success = [asnTemp AppendString: @"utf8" value: @"Lindon"];
asnTemp = [asnCertSubject AppendSetR];
success = [asnTemp AppendSequence2];
success = [asnTemp AppendOid: @"2.5.4.10"];
success = [asnTemp AppendString: @"utf8" value: @"DigiCert Inc."];
asnTemp = [asnCertSubject AppendSetR];
success = [asnTemp AppendSequence2];
success = [asnTemp AppendOid: @"2.5.4.11"];
success = [asnTemp AppendString: @"utf8" value: @"DigiCert"];
asnTemp = [asnCertSubject AppendSetR];
success = [asnTemp AppendSequence2];
success = [asnTemp AppendOid: @"2.5.4.3"];
success = [asnTemp AppendString: @"utf8" value: @"example.digicert.com"];
// Build the Public Key Info part of the Certificate Request Info
CkoAsn *asnPubKeyInfo = [asnCertReqInfo AppendSequenceR];
CkoAsn *asnPubKeyAlgId = [asnPubKeyInfo AppendSequenceR];
success = [asnPubKeyAlgId AppendOid: @"1.2.840.113549.1.1.1"];
success = [asnPubKeyAlgId AppendNull];
// The public key itself is a BIT STRING, but the bit string is composed of ASN.1
// for the RSA public key. We'll first build the RSA ASN.1 for the public key
// (containing the 2048 bit modulus and exponent), and encoded it to DER, and then add
// the DER bytes as a BIT STRING (as a sub-item of asnPubKeyInfo)
// This is already a SEQUENCE..
CkoAsn *asnRsaKey = [[CkoAsn alloc] init];
// The RSA modulus is a big integer.
success = [asnRsaKey AppendBigInt: keyModulus encoding: @"base64"];
success = [asnRsaKey AppendInt: [NSNumber numberWithInt: 65537]];
NSString *rsaKeyDerBase64 = [asnRsaKey GetEncodedDer: @"base64"];
// Now add the RSA key DER as a BIT STRING.
success = [asnPubKeyInfo AppendBits: rsaKeyDerBase64 encoding: @"base64"];
// The last part of the certificate request info is an empty context-specific constructed item
// with a tag equal to 0.
success = [asnCertReqInfo AppendContextConstructed: [NSNumber numberWithInt: 0]];
// Get the DER of the asnCertReqInfo.
// This will be signed using the RSA private key.
CkoBinData *bdDer = [[CkoBinData alloc] init];
success = [asnCertReqInfo WriteBd: bdDer];
// Add the signature to the ASN.1
CkoBinData *bdSig = [[CkoBinData alloc] init];
success = [rsa SignBd: bdDer hashAlgorithm: @"SHA1" bdSig: bdSig];
success = [asnRoot AppendBits: [bdSig GetEncoded: @"base64"] encoding: @"base64"];
// ----------------------------------
// Finally, add the algorithm identifier, which is the 2nd sub-item under the root.
// ----------------------------------
CkoAsn *asnAlgId = [asnRoot GetSubItem: [NSNumber numberWithInt: 1]];
success = [asnAlgId AppendOid: @"1.2.840.113549.1.1.5"];
success = [asnAlgId AppendNull];
// Write the CSR to a DER encoded binary file:
success = [asnRoot WriteBinaryDer: @"qa_output/mydomain.csr"];
if (success == NO) {
NSLog(@"%@",asnRoot.LastErrorText);
return;
}
// It is also possible to get the CSR in base64 format:
NSString *csrBase64 = [asnRoot GetEncodedDer: @"base64"];
NSLog(@"%@",@"Base64 CSR:");
NSLog(@"%@",csrBase64);