(Unicode C++) Renew a DigiCert Certificate from an EST-enabled profile

Demonstrates how to renew a certificate from an EST-enabled profile in DigiCert​​®​​ Trust Lifecycle Manager. (The certificate must be within the renewal window configured in the certificate profile. The CSR must have same Subject DN values as the original certificate.)

Chilkat C/C++ Library Downloads
MS Visual C/C++ Linux/CentOS C/C++ Alpine Linux C/C++ MAC OS X C/C++	armhf/aarch64 C/C++ C++ Builder iOS C/C++ Android C/C++	Solaris C/C++ MinGW C/C++

#include <CkPrngW.h>
#include <CkEccW.h>
#include <CkPrivateKeyW.h>
#include <CkCsrW.h>
#include <CkBinDataW.h>
#include <CkHttpW.h>
#include <CkCertW.h>
#include <CkHttpResponseW.h>

void ChilkatSample(void)
    {
    // This example requires the Chilkat API to have been previously unlocked.
    // See Global Unlock Sample for sample code.

    // The example below duplicates the following OpenSSL commands:
    // 
    // # Name of certificate as argument 1
    // 
    // # Make new key
    // openssl ecparam -name prime256v1 -genkey -noout -out ${1}.key.pem
    // 
    // # Make csr
    // openssl req -new -sha256 -key ${1}.key.pem -out ${1}.p10.csr -subj "/CN=${1}"
    // 
    // # Request new cert
    // curl -v --cacert data/ca.pem --cert data/${1}.pem --key data/${1}.key.pem 
    //     --data-binary @${1}.p10.csr -o ${1}.p7.b64 -H "Content-Type: application/pkcs10" https://clientauth.demo.one.digicert.com/.well-known/est/IOT/simplereenroll
    // 
    // # Convert to PEM
    // openssl base64 -d -in ${1}.p7.b64 | openssl pkcs7 -inform DER -outform PEM -print_certs -out ${1}.pem

    // ------------------------------------------------------------------------------------------------------------------

    // Create a Fortuna PRNG and seed it with system entropy.
    // This will be our source of random data for generating the ECC private key.
    CkPrngW fortuna;
    const wchar_t *entropy = fortuna.getEntropy(32,L"base64");
    bool success = fortuna.AddEntropy(entropy,L"base64");

    CkEccW ec;

    // Generate a random EC private key on the prime256v1 curve.
    CkPrivateKeyW *privKey = ec.GenEccKey(L"prime256v1",fortuna);
    if (ec.get_LastMethodSuccess() != true) {
        wprintf(L"%s\n",ec.lastErrorText());
        return;
    }

    // Create the CSR object and set properties.
    CkCsrW csr;

    // Specify your CN
    csr.put_CommonName(L"mysubdomain.mydomain.com");

    // Create the CSR using the private key.
    CkBinDataW bdCsr;
    success = csr.GenCsrBd(*privKey,bdCsr);
    if (success == false) {
        wprintf(L"%s\n",csr.lastErrorText());
        delete privKey;
        return;
    }

    // Save the private key and CSR to files.
    privKey->SavePkcs8EncryptedPemFile(L"password",L"c:/temp/qa_output/ec_privkey.pem");
    delete privKey;
    bdCsr.WriteFile(L"c:/temp/qa_output/csr.pem");

    // ----------------------------------------------------------------------
    // Now do the CURL request to POST the CSR and get the new certificate.

    CkHttpW http;

    CkCertW tlsClientCert;
    success = tlsClientCert.LoadFromFile(L"data/myTlsClientCert.pem");
    if (success == false) {
        wprintf(L"%s\n",tlsClientCert.lastErrorText());
        return;
    }

    CkBinDataW bdTlsClientCertPrivKey;
    success = bdTlsClientCertPrivKey.LoadFile(L"data/myTlsClientCert.key.pem");
    if (success == false) {
        wprintf(L"Failed to load data/myTlsClientCert.key.pem\n");
        return;
    }

    CkPrivateKeyW tlsClientCertPrivKey;
    success = tlsClientCertPrivKey.LoadAnyFormat(bdTlsClientCertPrivKey,L"");
    if (success == false) {
        wprintf(L"%s\n",tlsClientCertPrivKey.lastErrorText());
        return;
    }

    success = tlsClientCert.SetPrivateKey(tlsClientCertPrivKey);
    if (success == false) {
        wprintf(L"%s\n",tlsClientCert.lastErrorText());
        return;
    }

    http.SetSslClientCert(tlsClientCert);

    http.put_RequireSslCertVerify(true);

    // The body of the HTTP request contains the binary CSR.
    CkHttpResponseW *resp = http.PBinaryBd(L"POST",L"https://clientauth.demo.one.digicert.com/.well-known/est/IOT/simplereenroll",bdCsr,L"application/pkcs10",false,false);
    if (http.get_LastMethodSuccess() == false) {
        wprintf(L"%s\n",http.lastErrorText());
        return;
    }

    if (resp->get_StatusCode() != 200) {
        wprintf(L"response status code = %d\n",resp->get_StatusCode());
        wprintf(L"%s\n",resp->bodyStr());
        wprintf(L"Failed\n");
        delete resp;
        return;
    }

    // The response is the Base64 DER of the new certificate.
    CkCertW myNewCert;
    success = myNewCert.LoadFromBase64(resp->bodyStr());
    if (success == false) {
        wprintf(L"%s\n",myNewCert.lastErrorText());
        wprintf(L"Cert data = %s\n",resp->bodyStr());
        wprintf(L"Failed.\n");
        delete resp;
        return;
    }

    delete resp;
    success = myNewCert.SaveToFile(L"c:/temp/qa_output/myNewCert.cer");
    if (success == false) {
        wprintf(L"%s\n",myNewCert.lastErrorText());
        wprintf(L"Failed.\n");
        return;
    }

    wprintf(L"Success.\n");
    }