Tcl
Tcl
Duplicate openssl req -newkey rsa:2048 -nodes -keyout mydomain.pem -out mydomain.csr
See more OpenSSL Examples
Demonstrates how to duplicate this OpenSSL command:openssl req -newkey rsa:2048 -nodes -keyout mydomain.pem -out mydomain.csr
This command creates 2 files:
- mydomain.csr: this is the file to send to DigiCert or Let's Encrypt (or any other CA)
- mydomain.pem: this is the private key of the domain.
The second file is needed to pair with the certificate that will later be received from the CA.
Chilkat Tcl Downloads
load ./chilkat.dll
set success 0
# This example requires the Chilkat API to have been previously unlocked.
# See Global Unlock Sample for sample code.
set rsa [new_CkRsa]
# Generate a 2048-bit key. Chilkat RSA supports
# key sizes ranging from 512 bits to 8192 bits.
set privKey [new_CkPrivateKey]
set success [CkRsa_GenKey $rsa 2048 $privKey]
if {$success == 0} then {
puts [CkRsa_lastErrorText $rsa]
delete_CkRsa $rsa
delete_CkPrivateKey $privKey
exit
}
CkRsa_UsePrivateKey $rsa $privKey
# Save the private key to unencrypted PKCS8 PEM
set success [CkPrivateKey_SavePkcs8PemFile $privKey "mydomain.pem"]
# (alternatively) Save the private key to encrypted PKCS8 PEM
set success [CkPrivateKey_SavePkcs8EncryptedPemFile $privKey "myPassword" "mydomain_enc.pem"]
# We'll need the private key's modulus for the CSR.
# The modulus is not something that needs to be protected. Most people don't realize
# that a public key is actually just a subset of the private key. The public parts of
# an RSA private key are the modulus and exponent. The exponent is always 65537.
set privKeyXml [new_CkXml]
set success [CkXml_LoadXml $privKeyXml [CkPrivateKey_getXml $privKey]]
# Get the modulus in base64 format:
set keyModulus [CkXml_getChildContent $privKeyXml "Modulus"]
# --------------------------------------------------------------------------------
# Now build the CSR using Chilkat's ASN.1 API.
# The keyModulus will be embedded within the ASN.1.
# A new ASN.1 object is automatically a SEQUENCE.
# Given that the CSR's root item is a SEQUENCE, we can use
# this as the root of our CSR.
set asnRoot [new_CkAsn]
# Beneath the root, we have a SEQUENCE (the certificate request info),
# another SEQUENCE (the algorithm identifier), and a BITSTRING (the signature data)
set success [CkAsn_AppendSequence $asnRoot]
set success [CkAsn_AppendSequence $asnRoot]
# ----------------------------------
# Build the Certificate Request Info
# ----------------------------------
# asnCertReqInfo is a CkAsn
set asnCertReqInfo [CkAsn_GetSubItem $asnRoot 0]
set success [CkAsn_AppendInt $asnCertReqInfo 0]
# Build the Subject part of the Certificate Request Info
# asnCertSubject is a CkAsn
set asnCertSubject [CkAsn_AppendSequenceR $asnCertReqInfo]
# Add each subject part..
# asnTemp is a CkAsn
set asnTemp [CkAsn_AppendSetR $asnCertSubject]
set success [CkAsn_AppendSequence2 $asnTemp]
# AppendSequence2 updates the internal reference to the newly appended SEQUENCE.
# The OID and printable string are added to the SEQUENCE.
set success [CkAsn_AppendOid $asnTemp "2.5.4.6"]
set success [CkAsn_AppendString $asnTemp "printable" "US"]
delete_CkAsn $asnTemp
set asnTemp [CkAsn_AppendSetR $asnCertSubject]
set success [CkAsn_AppendSequence2 $asnTemp]
set success [CkAsn_AppendOid $asnTemp "2.5.4.8"]
set success [CkAsn_AppendString $asnTemp "utf8" "Utah"]
delete_CkAsn $asnTemp
set asnTemp [CkAsn_AppendSetR $asnCertSubject]
set success [CkAsn_AppendSequence2 $asnTemp]
set success [CkAsn_AppendOid $asnTemp "2.5.4.7"]
set success [CkAsn_AppendString $asnTemp "utf8" "Lindon"]
delete_CkAsn $asnTemp
set asnTemp [CkAsn_AppendSetR $asnCertSubject]
set success [CkAsn_AppendSequence2 $asnTemp]
set success [CkAsn_AppendOid $asnTemp "2.5.4.10"]
set success [CkAsn_AppendString $asnTemp "utf8" "DigiCert Inc."]
delete_CkAsn $asnTemp
set asnTemp [CkAsn_AppendSetR $asnCertSubject]
set success [CkAsn_AppendSequence2 $asnTemp]
set success [CkAsn_AppendOid $asnTemp "2.5.4.11"]
set success [CkAsn_AppendString $asnTemp "utf8" "DigiCert"]
delete_CkAsn $asnTemp
set asnTemp [CkAsn_AppendSetR $asnCertSubject]
set success [CkAsn_AppendSequence2 $asnTemp]
set success [CkAsn_AppendOid $asnTemp "2.5.4.3"]
set success [CkAsn_AppendString $asnTemp "utf8" "example.digicert.com"]
delete_CkAsn $asnTemp
delete_CkAsn $asnCertSubject
# Build the Public Key Info part of the Certificate Request Info
# asnPubKeyInfo is a CkAsn
set asnPubKeyInfo [CkAsn_AppendSequenceR $asnCertReqInfo]
# asnPubKeyAlgId is a CkAsn
set asnPubKeyAlgId [CkAsn_AppendSequenceR $asnPubKeyInfo]
set success [CkAsn_AppendOid $asnPubKeyAlgId "1.2.840.113549.1.1.1"]
set success [CkAsn_AppendNull $asnPubKeyAlgId]
delete_CkAsn $asnPubKeyAlgId
# The public key itself is a BIT STRING, but the bit string is composed of ASN.1
# for the RSA public key. We'll first build the RSA ASN.1 for the public key
# (containing the 2048 bit modulus and exponent), and encoded it to DER, and then add
# the DER bytes as a BIT STRING (as a sub-item of asnPubKeyInfo)
# This is already a SEQUENCE..
set asnRsaKey [new_CkAsn]
# The RSA modulus is a big integer.
set success [CkAsn_AppendBigInt $asnRsaKey $keyModulus "base64"]
set success [CkAsn_AppendInt $asnRsaKey 65537]
set rsaKeyDerBase64 [CkAsn_getEncodedDer $asnRsaKey "base64"]
# Now add the RSA key DER as a BIT STRING.
set success [CkAsn_AppendBits $asnPubKeyInfo $rsaKeyDerBase64 "base64"]
delete_CkAsn $asnPubKeyInfo
# The last part of the certificate request info is an empty context-specific constructed item
# with a tag equal to 0.
set success [CkAsn_AppendContextConstructed $asnCertReqInfo 0]
# Get the DER of the asnCertReqInfo.
# This will be signed using the RSA private key.
set bdDer [new_CkBinData]
set success [CkAsn_WriteBd $asnCertReqInfo $bdDer]
# Add the signature to the ASN.1
set bdSig [new_CkBinData]
set success [CkRsa_SignBd $rsa $bdDer "SHA1" $bdSig]
set success [CkAsn_AppendBits $asnRoot [CkBinData_getEncoded $bdSig "base64"] "base64"]
delete_CkAsn $asnCertReqInfo
# ----------------------------------
# Finally, add the algorithm identifier, which is the 2nd sub-item under the root.
# ----------------------------------
# asnAlgId is a CkAsn
set asnAlgId [CkAsn_GetSubItem $asnRoot 1]
set success [CkAsn_AppendOid $asnAlgId "1.2.840.113549.1.1.5"]
set success [CkAsn_AppendNull $asnAlgId]
delete_CkAsn $asnAlgId
# Write the CSR to a DER encoded binary file:
set success [CkAsn_WriteBinaryDer $asnRoot "qa_output/mydomain.csr"]
if {$success == 0} then {
puts [CkAsn_lastErrorText $asnRoot]
delete_CkRsa $rsa
delete_CkPrivateKey $privKey
delete_CkXml $privKeyXml
delete_CkAsn $asnRoot
delete_CkAsn $asnRsaKey
delete_CkBinData $bdDer
delete_CkBinData $bdSig
exit
}
# It is also possible to get the CSR in base64 format:
set csrBase64 [CkAsn_getEncodedDer $asnRoot "base64"]
puts "Base64 CSR:"
puts "$csrBase64"
delete_CkRsa $rsa
delete_CkPrivateKey $privKey
delete_CkXml $privKeyXml
delete_CkAsn $asnRoot
delete_CkAsn $asnRsaKey
delete_CkBinData $bdDer
delete_CkBinData $bdSig