|
Chilkat • HOME • .NET Core C# • Android™ • AutoIt • C • C# • C++ • Chilkat2-Python • CkPython • Classic ASP • DataFlex • Delphi ActiveX • Delphi DLL • Go • Java • Lianja • Mono C# • Node.js • Objective-C • PHP ActiveX • PHP Extension • Perl • PowerBuilder • PowerShell • PureBasic • Ruby • SQL Server • Swift 2 • Swift 3,4,5... • Tcl • Unicode C • Unicode C++ • VB.NET • VBScript • Visual Basic 6.0 • Visual FoxPro • Xojo Plugin
(Tcl) Renew a DigiCert Certificate from an EST-enabled profileDemonstrates how to renew a certificate from an EST-enabled profile in DigiCert® Trust Lifecycle Manager. (The certificate must be within the renewal window configured in the certificate profile. The CSR must have same Subject DN values as the original certificate.)
load ./chilkat.dll # This example requires the Chilkat API to have been previously unlocked. # See Global Unlock Sample for sample code. # The example below duplicates the following OpenSSL commands: # # # Name of certificate as argument 1 # # # Make new key # openssl ecparam -name prime256v1 -genkey -noout -out ${1}.key.pem # # # Make csr # openssl req -new -sha256 -key ${1}.key.pem -out ${1}.p10.csr -subj "/CN=${1}" # # # Request new cert # curl -v --cacert data/ca.pem --cert data/${1}.pem --key data/${1}.key.pem # --data-binary @${1}.p10.csr -o ${1}.p7.b64 -H "Content-Type: application/pkcs10" https://clientauth.demo.one.digicert.com/.well-known/est/IOT/simplereenroll # # # Convert to PEM # openssl base64 -d -in ${1}.p7.b64 | openssl pkcs7 -inform DER -outform PEM -print_certs -out ${1}.pem # ------------------------------------------------------------------------------------------------------------------ # Create a Fortuna PRNG and seed it with system entropy. # This will be our source of random data for generating the ECC private key. set fortuna [new_CkPrng] set entropy [CkPrng_getEntropy $fortuna 32 "base64"] set success [CkPrng_AddEntropy $fortuna $entropy "base64"] set ec [new_CkEcc] # Generate a random EC private key on the prime256v1 curve. # privKey is a CkPrivateKey set privKey [CkEcc_GenEccKey $ec "prime256v1" $fortuna] if {[CkEcc_get_LastMethodSuccess $ec] != 1} then { puts [CkEcc_lastErrorText $ec] delete_CkPrng $fortuna delete_CkEcc $ec exit } # Create the CSR object and set properties. set csr [new_CkCsr] # Specify your CN CkCsr_put_CommonName $csr "mysubdomain.mydomain.com" # Create the CSR using the private key. set bdCsr [new_CkBinData] set success [CkCsr_GenCsrBd $csr $privKey $bdCsr] if {$success == 0} then { puts [CkCsr_lastErrorText $csr] delete_CkPrivateKey $privKey delete_CkPrng $fortuna delete_CkEcc $ec delete_CkCsr $csr delete_CkBinData $bdCsr exit } # Save the private key and CSR to files. CkPrivateKey_SavePkcs8EncryptedPemFile $privKey "password" "c:/temp/qa_output/ec_privkey.pem" delete_CkPrivateKey $privKey CkBinData_WriteFile $bdCsr "c:/temp/qa_output/csr.pem" # ---------------------------------------------------------------------- # Now do the CURL request to POST the CSR and get the new certificate. set http [new_CkHttp] set tlsClientCert [new_CkCert] set success [CkCert_LoadFromFile $tlsClientCert "data/myTlsClientCert.pem"] if {$success == 0} then { puts [CkCert_lastErrorText $tlsClientCert] delete_CkPrng $fortuna delete_CkEcc $ec delete_CkCsr $csr delete_CkBinData $bdCsr delete_CkHttp $http delete_CkCert $tlsClientCert exit } set bdTlsClientCertPrivKey [new_CkBinData] set success [CkBinData_LoadFile $bdTlsClientCertPrivKey "data/myTlsClientCert.key.pem"] if {$success == 0} then { puts "Failed to load data/myTlsClientCert.key.pem" delete_CkPrng $fortuna delete_CkEcc $ec delete_CkCsr $csr delete_CkBinData $bdCsr delete_CkHttp $http delete_CkCert $tlsClientCert delete_CkBinData $bdTlsClientCertPrivKey exit } set tlsClientCertPrivKey [new_CkPrivateKey] set success [CkPrivateKey_LoadAnyFormat $tlsClientCertPrivKey $bdTlsClientCertPrivKey ""] if {$success == 0} then { puts [CkPrivateKey_lastErrorText $tlsClientCertPrivKey] delete_CkPrng $fortuna delete_CkEcc $ec delete_CkCsr $csr delete_CkBinData $bdCsr delete_CkHttp $http delete_CkCert $tlsClientCert delete_CkBinData $bdTlsClientCertPrivKey delete_CkPrivateKey $tlsClientCertPrivKey exit } set success [CkCert_SetPrivateKey $tlsClientCert $tlsClientCertPrivKey] if {$success == 0} then { puts [CkCert_lastErrorText $tlsClientCert] delete_CkPrng $fortuna delete_CkEcc $ec delete_CkCsr $csr delete_CkBinData $bdCsr delete_CkHttp $http delete_CkCert $tlsClientCert delete_CkBinData $bdTlsClientCertPrivKey delete_CkPrivateKey $tlsClientCertPrivKey exit } CkHttp_SetSslClientCert $http $tlsClientCert CkHttp_put_RequireSslCertVerify $http 1 # The body of the HTTP request contains the binary CSR. # resp is a CkHttpResponse set resp [CkHttp_PBinaryBd $http "POST" "https://clientauth.demo.one.digicert.com/.well-known/est/IOT/simplereenroll" $bdCsr "application/pkcs10" 0 0] if {[CkHttp_get_LastMethodSuccess $http] == 0} then { puts [CkHttp_lastErrorText $http] delete_CkPrng $fortuna delete_CkEcc $ec delete_CkCsr $csr delete_CkBinData $bdCsr delete_CkHttp $http delete_CkCert $tlsClientCert delete_CkBinData $bdTlsClientCertPrivKey delete_CkPrivateKey $tlsClientCertPrivKey exit } if {[CkHttpResponse_get_StatusCode $resp] != 200} then { puts "response status code = [CkHttpResponse_get_StatusCode $resp]" puts [CkHttpResponse_bodyStr $resp] puts "Failed" delete_CkHttpResponse $resp delete_CkPrng $fortuna delete_CkEcc $ec delete_CkCsr $csr delete_CkBinData $bdCsr delete_CkHttp $http delete_CkCert $tlsClientCert delete_CkBinData $bdTlsClientCertPrivKey delete_CkPrivateKey $tlsClientCertPrivKey exit } # The response is the Base64 DER of the new certificate. set myNewCert [new_CkCert] set success [CkCert_LoadFromBase64 $myNewCert [CkHttpResponse_bodyStr $resp]] if {$success == 0} then { puts [CkCert_lastErrorText $myNewCert] puts "Cert data = [CkHttpResponse_bodyStr $resp]" puts "Failed." delete_CkHttpResponse $resp delete_CkPrng $fortuna delete_CkEcc $ec delete_CkCsr $csr delete_CkBinData $bdCsr delete_CkHttp $http delete_CkCert $tlsClientCert delete_CkBinData $bdTlsClientCertPrivKey delete_CkPrivateKey $tlsClientCertPrivKey delete_CkCert $myNewCert exit } delete_CkHttpResponse $resp set success [CkCert_SaveToFile $myNewCert "c:/temp/qa_output/myNewCert.cer"] if {$success == 0} then { puts [CkCert_lastErrorText $myNewCert] puts "Failed." delete_CkPrng $fortuna delete_CkEcc $ec delete_CkCsr $csr delete_CkBinData $bdCsr delete_CkHttp $http delete_CkCert $tlsClientCert delete_CkBinData $bdTlsClientCertPrivKey delete_CkPrivateKey $tlsClientCertPrivKey delete_CkCert $myNewCert exit } puts "Success." delete_CkPrng $fortuna delete_CkEcc $ec delete_CkCsr $csr delete_CkBinData $bdCsr delete_CkHttp $http delete_CkCert $tlsClientCert delete_CkBinData $bdTlsClientCertPrivKey delete_CkPrivateKey $tlsClientCertPrivKey delete_CkCert $myNewCert |
||||
© 2000-2024 Chilkat Software, Inc. All Rights Reserved.