Sample code for 30+ languages & platforms
Unicode C

Renew a DigiCert Certificate from an EST-enabled profile

See more Certificates Examples

Demonstrates how to renew a certificate from an EST-enabled profile in DigiCert​​®​​ Trust Lifecycle Manager. (The certificate must be within the renewal window configured in the certificate profile. The CSR must have same Subject DN values as the original certificate.)

Chilkat Unicode C Downloads

Unicode C
#include <C_CkPrngW.h>
#include <C_CkEccW.h>
#include <C_CkPrivateKeyW.h>
#include <C_CkCsrW.h>
#include <C_CkBinDataW.h>
#include <C_CkHttpW.h>
#include <C_CkCertW.h>
#include <C_CkHttpResponseW.h>

void ChilkatSample(void)
    {
    BOOL success;
    HCkPrngW fortuna;
    const wchar_t *entropy;
    HCkEccW ec;
    HCkPrivateKeyW privKey;
    HCkCsrW csr;
    HCkBinDataW bdCsr;
    HCkHttpW http;
    HCkCertW tlsClientCert;
    HCkBinDataW bdTlsClientCertPrivKey;
    HCkPrivateKeyW tlsClientCertPrivKey;
    HCkHttpResponseW resp;
    const wchar_t *url;
    HCkCertW myNewCert;

    success = FALSE;

    // This example requires the Chilkat API to have been previously unlocked.
    // See Global Unlock Sample for sample code.

    // The example below duplicates the following OpenSSL commands:
    // 
    // # Name of certificate as argument 1
    // 
    // # Make new key
    // openssl ecparam -name prime256v1 -genkey -noout -out ${1}.key.pem
    // 
    // # Make csr
    // openssl req -new -sha256 -key ${1}.key.pem -out ${1}.p10.csr -subj "/CN=${1}"
    // 
    // # Request new cert
    // curl -v --cacert data/ca.pem --cert data/${1}.pem --key data/${1}.key.pem 
    //     --data-binary @${1}.p10.csr -o ${1}.p7.b64 -H "Content-Type: application/pkcs10" https://clientauth.demo.one.digicert.com/.well-known/est/IOT/simplereenroll
    // 
    // # Convert to PEM
    // openssl base64 -d -in ${1}.p7.b64 | openssl pkcs7 -inform DER -outform PEM -print_certs -out ${1}.pem

    // ------------------------------------------------------------------------------------------------------------------

    // Create a Fortuna PRNG and seed it with system entropy.
    // This will be our source of random data for generating the ECC private key.
    fortuna = CkPrngW_Create();
    entropy = CkPrngW_getEntropy(fortuna,32,L"base64");
    success = CkPrngW_AddEntropy(fortuna,entropy,L"base64");

    ec = CkEccW_Create();

    // Generate a random EC private key on the prime256v1 curve.
    privKey = CkPrivateKeyW_Create();
    success = CkEccW_GenKey(ec,L"prime256v1",fortuna,privKey);
    if (success != TRUE) {
        wprintf(L"%s\n",CkEccW_lastErrorText(ec));
        CkPrngW_Dispose(fortuna);
        CkEccW_Dispose(ec);
        CkPrivateKeyW_Dispose(privKey);
        return;
    }

    // Create the CSR object and set properties.
    csr = CkCsrW_Create();

    // Specify your CN
    CkCsrW_putCommonName(csr,L"mysubdomain.mydomain.com");

    // Create the CSR using the private key.
    bdCsr = CkBinDataW_Create();
    success = CkCsrW_GenCsrBd(csr,privKey,bdCsr);
    if (success == FALSE) {
        wprintf(L"%s\n",CkCsrW_lastErrorText(csr));
        CkPrngW_Dispose(fortuna);
        CkEccW_Dispose(ec);
        CkPrivateKeyW_Dispose(privKey);
        CkCsrW_Dispose(csr);
        CkBinDataW_Dispose(bdCsr);
        return;
    }

    // Save the private key and CSR to files.
    CkPrivateKeyW_SavePkcs8EncryptedPemFile(privKey,L"password",L"c:/temp/qa_output/ec_privkey.pem");

    CkBinDataW_WriteFile(bdCsr,L"c:/temp/qa_output/csr.pem");

    // ----------------------------------------------------------------------
    // Now do the CURL request to POST the CSR and get the new certificate.

    http = CkHttpW_Create();

    tlsClientCert = CkCertW_Create();
    success = CkCertW_LoadFromFile(tlsClientCert,L"data/myTlsClientCert.pem");
    if (success == FALSE) {
        wprintf(L"%s\n",CkCertW_lastErrorText(tlsClientCert));
        CkPrngW_Dispose(fortuna);
        CkEccW_Dispose(ec);
        CkPrivateKeyW_Dispose(privKey);
        CkCsrW_Dispose(csr);
        CkBinDataW_Dispose(bdCsr);
        CkHttpW_Dispose(http);
        CkCertW_Dispose(tlsClientCert);
        return;
    }

    bdTlsClientCertPrivKey = CkBinDataW_Create();
    success = CkBinDataW_LoadFile(bdTlsClientCertPrivKey,L"data/myTlsClientCert.key.pem");
    if (success == FALSE) {
        wprintf(L"Failed to load data/myTlsClientCert.key.pem\n");
        CkPrngW_Dispose(fortuna);
        CkEccW_Dispose(ec);
        CkPrivateKeyW_Dispose(privKey);
        CkCsrW_Dispose(csr);
        CkBinDataW_Dispose(bdCsr);
        CkHttpW_Dispose(http);
        CkCertW_Dispose(tlsClientCert);
        CkBinDataW_Dispose(bdTlsClientCertPrivKey);
        return;
    }

    tlsClientCertPrivKey = CkPrivateKeyW_Create();
    success = CkPrivateKeyW_LoadAnyFormat(tlsClientCertPrivKey,bdTlsClientCertPrivKey,L"");
    if (success == FALSE) {
        wprintf(L"%s\n",CkPrivateKeyW_lastErrorText(tlsClientCertPrivKey));
        CkPrngW_Dispose(fortuna);
        CkEccW_Dispose(ec);
        CkPrivateKeyW_Dispose(privKey);
        CkCsrW_Dispose(csr);
        CkBinDataW_Dispose(bdCsr);
        CkHttpW_Dispose(http);
        CkCertW_Dispose(tlsClientCert);
        CkBinDataW_Dispose(bdTlsClientCertPrivKey);
        CkPrivateKeyW_Dispose(tlsClientCertPrivKey);
        return;
    }

    success = CkCertW_SetPrivateKey(tlsClientCert,tlsClientCertPrivKey);
    if (success == FALSE) {
        wprintf(L"%s\n",CkCertW_lastErrorText(tlsClientCert));
        CkPrngW_Dispose(fortuna);
        CkEccW_Dispose(ec);
        CkPrivateKeyW_Dispose(privKey);
        CkCsrW_Dispose(csr);
        CkBinDataW_Dispose(bdCsr);
        CkHttpW_Dispose(http);
        CkCertW_Dispose(tlsClientCert);
        CkBinDataW_Dispose(bdTlsClientCertPrivKey);
        CkPrivateKeyW_Dispose(tlsClientCertPrivKey);
        return;
    }

    CkHttpW_SetSslClientCert(http,tlsClientCert);

    CkHttpW_putRequireSslCertVerify(http,TRUE);

    // The body of the HTTP request contains the binary CSR.
    resp = CkHttpResponseW_Create();
    url = L"https://clientauth.demo.one.digicert.com/.well-known/est/IOT/simplereenroll";
    success = CkHttpW_HttpBd(http,L"POST",url,bdCsr,L"application/pkcs10",resp);
    if (success == FALSE) {
        wprintf(L"%s\n",CkHttpW_lastErrorText(http));
        CkPrngW_Dispose(fortuna);
        CkEccW_Dispose(ec);
        CkPrivateKeyW_Dispose(privKey);
        CkCsrW_Dispose(csr);
        CkBinDataW_Dispose(bdCsr);
        CkHttpW_Dispose(http);
        CkCertW_Dispose(tlsClientCert);
        CkBinDataW_Dispose(bdTlsClientCertPrivKey);
        CkPrivateKeyW_Dispose(tlsClientCertPrivKey);
        CkHttpResponseW_Dispose(resp);
        return;
    }

    if (CkHttpResponseW_getStatusCode(resp) != 200) {
        wprintf(L"response status code = %d\n",CkHttpResponseW_getStatusCode(resp));
        wprintf(L"%s\n",CkHttpResponseW_bodyStr(resp));
        wprintf(L"Failed\n");
        CkPrngW_Dispose(fortuna);
        CkEccW_Dispose(ec);
        CkPrivateKeyW_Dispose(privKey);
        CkCsrW_Dispose(csr);
        CkBinDataW_Dispose(bdCsr);
        CkHttpW_Dispose(http);
        CkCertW_Dispose(tlsClientCert);
        CkBinDataW_Dispose(bdTlsClientCertPrivKey);
        CkPrivateKeyW_Dispose(tlsClientCertPrivKey);
        CkHttpResponseW_Dispose(resp);
        return;
    }

    // The response is the Base64 DER of the new certificate.
    myNewCert = CkCertW_Create();
    success = CkCertW_LoadFromBase64(myNewCert,CkHttpResponseW_bodyStr(resp));
    if (success == FALSE) {
        wprintf(L"%s\n",CkCertW_lastErrorText(myNewCert));
        wprintf(L"Cert data = %s\n",CkHttpResponseW_bodyStr(resp));
        wprintf(L"Failed.\n");
        CkPrngW_Dispose(fortuna);
        CkEccW_Dispose(ec);
        CkPrivateKeyW_Dispose(privKey);
        CkCsrW_Dispose(csr);
        CkBinDataW_Dispose(bdCsr);
        CkHttpW_Dispose(http);
        CkCertW_Dispose(tlsClientCert);
        CkBinDataW_Dispose(bdTlsClientCertPrivKey);
        CkPrivateKeyW_Dispose(tlsClientCertPrivKey);
        CkHttpResponseW_Dispose(resp);
        CkCertW_Dispose(myNewCert);
        return;
    }

    success = CkCertW_SaveToFile(myNewCert,L"c:/temp/qa_output/myNewCert.cer");
    if (success == FALSE) {
        wprintf(L"%s\n",CkCertW_lastErrorText(myNewCert));
        wprintf(L"Failed.\n");
        CkPrngW_Dispose(fortuna);
        CkEccW_Dispose(ec);
        CkPrivateKeyW_Dispose(privKey);
        CkCsrW_Dispose(csr);
        CkBinDataW_Dispose(bdCsr);
        CkHttpW_Dispose(http);
        CkCertW_Dispose(tlsClientCert);
        CkBinDataW_Dispose(bdTlsClientCertPrivKey);
        CkPrivateKeyW_Dispose(tlsClientCertPrivKey);
        CkHttpResponseW_Dispose(resp);
        CkCertW_Dispose(myNewCert);
        return;
    }

    wprintf(L"Success.\n");


    CkPrngW_Dispose(fortuna);
    CkEccW_Dispose(ec);
    CkPrivateKeyW_Dispose(privKey);
    CkCsrW_Dispose(csr);
    CkBinDataW_Dispose(bdCsr);
    CkHttpW_Dispose(http);
    CkCertW_Dispose(tlsClientCert);
    CkBinDataW_Dispose(bdTlsClientCertPrivKey);
    CkPrivateKeyW_Dispose(tlsClientCertPrivKey);
    CkHttpResponseW_Dispose(resp);
    CkCertW_Dispose(myNewCert);

    }