(Ruby) Generate a CSR with keyUsage, extKeyUsage, and other Extensions

See more CSR Examples

Demonstrates how to generate a CSR containing a 1.2.840.113549.1.9.14 extensionRequest with the following extensions:

• 1.3.6.1.4.1.311.20.2 enrollCerttypeExtension
• 2.5.29.15 keyUsage
• 2.5.29.37 extKeyUsage
• 2.5.29.14 subjectKeyIdentifier

Chilkat Ruby Downloads install from rubygems.org gem install chilkat or download... Ruby Library for Windows, MacOS, Linux, Alpine Linux

require 'chilkat'

# This requires the Chilkat API to have been previously unlocked.
# See Global Unlock Sample for sample code.

# This example will generate a secp256r1 ECDSA key for the CSR.
ecc = Chilkat::CkEcc.new()
prng = Chilkat::CkPrng.new()

# privKey is a CkPrivateKey
privKey = ecc.GenEccKey("secp256r1",prng)
if (ecc.get_LastMethodSuccess() == false)
    print "Failed to generate a new ECDSA private key." + "\n";
    exit
end

csr = Chilkat::CkCsr.new()

# Add common CSR fields:
csr.put_CommonName("mysubdomain.mydomain.com")
csr.put_Country("GB")
csr.put_State("Yorks")
csr.put_Locality("York")
csr.put_Company("Internet Widgits Pty Ltd")
csr.put_EmailAddress("support@mydomain.com")

# Add the following 1.2.840.113549.1.9.14 extensionRequest
# Note: The easiest way to know the content and format of the XML to be added is to examine
# a pre-existing CSR with the same desired extensionRequest.  You can use Chilkat to
# get the extensionRequest from an existing CSR. 

# 
# Here is a sample extension request:

# <?xml version="1.0" encoding="utf-8"?>
# <set>
#     <sequence>
#         <sequence>
#             <oid>1.3.6.1.4.1.311.20.2</oid>
#             <asnOctets>
#                 <universal tag="30" constructed="0">AEUAbgBkAEUAbgB0AGkAdAB5AEMAbABpAGUAbgB0AEEAdQB0AGgAQwBlAHIAdABpAGYAaQBjAGEAdABl
# AF8AQwBTAFIAUABhAHMAcwB0AGgAcgBvAHUAZwBoAC8AVgAx</universal>
#             </asnOctets>
#         </sequence>
#         <sequence>
#             <oid>2.5.29.15</oid>
#             <bool>1</bool>
#             <asnOctets>
#                 <bits n="3">A0</bits>
#             </asnOctets>
#         </sequence>
#         <sequence>
#             <oid>2.5.29.37</oid>
#             <asnOctets>
#                 <sequence>
#                     <oid>1.3.6.1.5.5.7.3.3</oid>
#                 </sequence>
#             </asnOctets>
#         </sequence>
#         <sequence>
#             <oid>2.5.29.14</oid>
#             <asnOctets>
#                 <octets>MCzBMQAViXBz8IDt8LsgmJxJ4Xg=</octets>
#             </asnOctets>
#         </sequence>
#     </sequence>
# </set>

# Use this online tool to generate code from sample XML: 
# Generate Code to Create XML

# A few notes:
# The string "AEUAbgBkAEUAbgB0AGkAdAB5AEMAbABpAGUAbgB0AEEAdQB0AGgAQwBlAHIAdABpAGYAaQBjAGEAdABlAF8AQwBTAFIAUABhAHMAcwB0AGgAcgBvAHUAZwBoAC8AVgAx"
# is the base64 encoding of the utf-16be byte representation of the string "EndEntityClientAuthCertificate_CSRPassthrough/V1"

s = "EndEntityClientAuthCertificate_CSRPassthrough/V1"
bdTemp = Chilkat::CkBinData.new()
bdTemp.AppendString(s,"utf-16be")
s_base64_utf16be = bdTemp.getEncoded("base64")
# The string should be "AEUA....."
print s_base64_utf16be + "\n";

# Here's the code to generate the above extension request.

xml = Chilkat::CkXml.new()
xml.put_Tag("set")
xml.UpdateChildContent("sequence|sequence|oid","1.3.6.1.4.1.311.20.2")
xml.UpdateAttrAt("sequence|sequence|asnOctets|universal",true,"tag","30")
xml.UpdateAttrAt("sequence|sequence|asnOctets|universal",true,"constructed","0")
xml.UpdateChildContent("sequence|sequence|asnOctets|universal",s_base64_utf16be)
xml.UpdateChildContent("sequence|sequence[1]|oid","2.5.29.15")
xml.UpdateChildContent("sequence|sequence[1]|bool","1")
xml.UpdateAttrAt("sequence|sequence[1]|asnOctets|bits",true,"n","3")
# A0 is hex for decimal 160.
xml.UpdateChildContent("sequence|sequence[1]|asnOctets|bits","A0")
xml.UpdateChildContent("sequence|sequence[2]|oid","2.5.29.37")
xml.UpdateChildContent("sequence|sequence[2]|asnOctets|sequence|oid","1.3.6.1.5.5.7.3.3")

# This is the subjectKeyIdentifier extension.
# The string "MCzBMQAViXBz8IDt8LsgmJxJ4Xg=" is base64 that decodes to 20 bytes, which is a SHA1 hash.
# This is simply a hash of the DER of the public key.

# pubKey is a CkPublicKey
pubKey = privKey.GetPublicKey()
bdPubKeyDer = Chilkat::CkBinData.new()
bdPubKeyDer.AppendEncoded(pubKey.getEncoded(true,"base64"),"base64")
ski = bdPubKeyDer.getHash("sha1","base64")

xml.UpdateChildContent("sequence|sequence[3]|oid","2.5.29.14")
xml.UpdateChildContent("sequence|sequence[3]|asnOctets|octets",ski)

# Add the extension request to the CSR
csr.SetExtensionRequest(xml)

# Generate the CSR with the extension request
csrPem = csr.genCsrPem(privKey)
if (csr.get_LastMethodSuccess() == false)
    print csr.lastErrorText() + "\n";

    exit
end

print csrPem + "\n";