|
Chilkat • HOME • Android™ • AutoIt • C • C# • C++ • Chilkat2-Python • CkPython • Classic ASP • DataFlex • Delphi DLL • Go • Java • Node.js • Objective-C • PHP Extension • Perl • PowerBuilder • PowerShell • PureBasic • Ruby • SQL Server • Swift • Tcl • Unicode C • Unicode C++ • VB.NET • VBScript • Visual Basic 6.0 • Visual FoxPro • Xojo Plugin
(Delphi DLL) Renew a DigiCert Certificate from an EST-enabled profileDemonstrates how to renew a certificate from an EST-enabled profile in DigiCert® Trust Lifecycle Manager. (The certificate must be within the renewal window configured in the certificate profile. The CSR must have same Subject DN values as the original certificate.) Note: This example requires Chilkat v11.0.0 or greater.
uses Winapi.Windows, Winapi.Messages, System.SysUtils, System.Variants, System.Classes, Vcl.Graphics, Vcl.Controls, Vcl.Forms, Vcl.Dialogs, Vcl.StdCtrls, Csr, HttpResponse, BinData, PrivateKey, Cert, Prng, Http, Ecc; ... procedure TForm1.Button1Click(Sender: TObject); var fortuna: HCkPrng; entropy: PWideChar; success: Boolean; ec: HCkEcc; privKey: HCkPrivateKey; csr: HCkCsr; bdCsr: HCkBinData; http: HCkHttp; tlsClientCert: HCkCert; bdTlsClientCertPrivKey: HCkBinData; tlsClientCertPrivKey: HCkPrivateKey; resp: HCkHttpResponse; url: PWideChar; myNewCert: HCkCert; begin // This example requires the Chilkat API to have been previously unlocked. // See Global Unlock Sample for sample code. // The example below duplicates the following OpenSSL commands: // // # Name of certificate as argument 1 // // # Make new key // openssl ecparam -name prime256v1 -genkey -noout -out ${1}.key.pem // // # Make csr // openssl req -new -sha256 -key ${1}.key.pem -out ${1}.p10.csr -subj "/CN=${1}" // // # Request new cert // curl -v --cacert data/ca.pem --cert data/${1}.pem --key data/${1}.key.pem // --data-binary @${1}.p10.csr -o ${1}.p7.b64 -H "Content-Type: application/pkcs10" https://clientauth.demo.one.digicert.com/.well-known/est/IOT/simplereenroll // // # Convert to PEM // openssl base64 -d -in ${1}.p7.b64 | openssl pkcs7 -inform DER -outform PEM -print_certs -out ${1}.pem // ------------------------------------------------------------------------------------------------------------------ // Create a Fortuna PRNG and seed it with system entropy. // This will be our source of random data for generating the ECC private key. fortuna := CkPrng_Create(); entropy := CkPrng__getEntropy(fortuna,32,'base64'); success := CkPrng_AddEntropy(fortuna,entropy,'base64'); ec := CkEcc_Create(); // Generate a random EC private key on the prime256v1 curve. privKey := CkPrivateKey_Create(); success := CkEcc_GenKey(ec,'prime256v1',fortuna,privKey); if (success <> True) then begin Memo1.Lines.Add(CkEcc__lastErrorText(ec)); Exit; end; // Create the CSR object and set properties. csr := CkCsr_Create(); // Specify your CN CkCsr_putCommonName(csr,'mysubdomain.mydomain.com'); // Create the CSR using the private key. bdCsr := CkBinData_Create(); success := CkCsr_GenCsrBd(csr,privKey,bdCsr); if (success = False) then begin Memo1.Lines.Add(CkCsr__lastErrorText(csr)); Exit; end; // Save the private key and CSR to files. CkPrivateKey_SavePkcs8EncryptedPemFile(privKey,'password','c:/temp/qa_output/ec_privkey.pem'); CkBinData_WriteFile(bdCsr,'c:/temp/qa_output/csr.pem'); // ---------------------------------------------------------------------- // Now do the CURL request to POST the CSR and get the new certificate. http := CkHttp_Create(); tlsClientCert := CkCert_Create(); success := CkCert_LoadFromFile(tlsClientCert,'data/myTlsClientCert.pem'); if (success = False) then begin Memo1.Lines.Add(CkCert__lastErrorText(tlsClientCert)); Exit; end; bdTlsClientCertPrivKey := CkBinData_Create(); success := CkBinData_LoadFile(bdTlsClientCertPrivKey,'data/myTlsClientCert.key.pem'); if (success = False) then begin Memo1.Lines.Add('Failed to load data/myTlsClientCert.key.pem'); Exit; end; tlsClientCertPrivKey := CkPrivateKey_Create(); success := CkPrivateKey_LoadAnyFormat(tlsClientCertPrivKey,bdTlsClientCertPrivKey,''); if (success = False) then begin Memo1.Lines.Add(CkPrivateKey__lastErrorText(tlsClientCertPrivKey)); Exit; end; success := CkCert_SetPrivateKey(tlsClientCert,tlsClientCertPrivKey); if (success = False) then begin Memo1.Lines.Add(CkCert__lastErrorText(tlsClientCert)); Exit; end; CkHttp_SetSslClientCert(http,tlsClientCert); CkHttp_putRequireSslCertVerify(http,True); // The body of the HTTP request contains the binary CSR. resp := CkHttpResponse_Create(); url := 'https://clientauth.demo.one.digicert.com/.well-known/est/IOT/simplereenroll'; success := CkHttp_HttpBd(http,'POST',url,bdCsr,'application/pkcs10',resp); if (success = False) then begin Memo1.Lines.Add(CkHttp__lastErrorText(http)); Exit; end; if (CkHttpResponse_getStatusCode(resp) <> 200) then begin Memo1.Lines.Add('response status code = ' + IntToStr(CkHttpResponse_getStatusCode(resp))); Memo1.Lines.Add(CkHttpResponse__bodyStr(resp)); Memo1.Lines.Add('Failed'); Exit; end; // The response is the Base64 DER of the new certificate. myNewCert := CkCert_Create(); success := CkCert_LoadFromBase64(myNewCert,CkHttpResponse__bodyStr(resp)); if (success = False) then begin Memo1.Lines.Add(CkCert__lastErrorText(myNewCert)); Memo1.Lines.Add('Cert data = ' + CkHttpResponse__bodyStr(resp)); Memo1.Lines.Add('Failed.'); Exit; end; success := CkCert_SaveToFile(myNewCert,'c:/temp/qa_output/myNewCert.cer'); if (success = False) then begin Memo1.Lines.Add(CkCert__lastErrorText(myNewCert)); Memo1.Lines.Add('Failed.'); Exit; end; Memo1.Lines.Add('Success.'); CkPrng_Dispose(fortuna); CkEcc_Dispose(ec); CkPrivateKey_Dispose(privKey); CkCsr_Dispose(csr); CkBinData_Dispose(bdCsr); CkHttp_Dispose(http); CkCert_Dispose(tlsClientCert); CkBinData_Dispose(bdTlsClientCertPrivKey); CkPrivateKey_Dispose(tlsClientCertPrivKey); CkHttpResponse_Dispose(resp); CkCert_Dispose(myNewCert); end; |
||||
© 2000-2025 Chilkat Software, Inc. All Rights Reserved.