Objective-C
Objective-C
Generate a CSR with keyUsage, extKeyUsage, and other Extensions
See more CSR Examples
Demonstrates how to generate a CSR containing a 1.2.840.113549.1.9.14 extensionRequest with the following extensions:- 1.3.6.1.4.1.311.20.2 enrollCerttypeExtension
- 2.5.29.15 keyUsage
- 2.5.29.37 extKeyUsage
- 2.5.29.14 subjectKeyIdentifier
Chilkat Objective-C Downloads
#import <CkoEcc.h>
#import <CkoPrng.h>
#import <CkoPrivateKey.h>
#import <CkoCsr.h>
#import <NSString.h>
#import <CkoBinData.h>
#import <CkoXml.h>
#import <CkoPublicKey.h>
BOOL success = NO;
// This requires the Chilkat API to have been previously unlocked.
// See Global Unlock Sample for sample code.
// This example will generate a secp256r1 ECDSA key for the CSR.
CkoEcc *ecc = [[CkoEcc alloc] init];
CkoPrng *prng = [[CkoPrng alloc] init];
CkoPrivateKey *privKey = [[CkoPrivateKey alloc] init];
success = [ecc GenKey: @"secp256r1" prng: prng privKey: privKey];
if (success == NO) {
NSLog(@"%@",@"Failed to generate a new ECDSA private key.");
return;
}
CkoCsr *csr = [[CkoCsr alloc] init];
// Add common CSR fields:
csr.CommonName = @"mysubdomain.mydomain.com";
csr.Country = @"GB";
csr.State = @"Yorks";
csr.Locality = @"York";
csr.Company = @"Internet Widgits Pty Ltd";
csr.EmailAddress = @"support@mydomain.com";
// Add the following 1.2.840.113549.1.9.14 extensionRequest
// Note: The easiest way to know the content and format of the XML to be added is to examine
// a pre-existing CSR with the same desired extensionRequest. You can use Chilkat to
// get the extensionRequest from an existing CSR.
//
// Here is a sample extension request:
// <?xml version="1.0" encoding="utf-8"?>
// <set>
// <sequence>
// <sequence>
// <oid>1.3.6.1.4.1.311.20.2</oid>
// <asnOctets>
// <universal tag="30" constructed="0">AEUAbgBkAEUAbgB0AGkAdAB5AEMAbABpAGUAbgB0AEEAdQB0AGgAQwBlAHIAdABpAGYAaQBjAGEAdABl
// AF8AQwBTAFIAUABhAHMAcwB0AGgAcgBvAHUAZwBoAC8AVgAx</universal>
// </asnOctets>
// </sequence>
// <sequence>
// <oid>2.5.29.15</oid>
// <bool>1</bool>
// <asnOctets>
// <bits n="3">A0</bits>
// </asnOctets>
// </sequence>
// <sequence>
// <oid>2.5.29.37</oid>
// <asnOctets>
// <sequence>
// <oid>1.3.6.1.5.5.7.3.3</oid>
// </sequence>
// </asnOctets>
// </sequence>
// <sequence>
// <oid>2.5.29.14</oid>
// <asnOctets>
// <octets>MCzBMQAViXBz8IDt8LsgmJxJ4Xg=</octets>
// </asnOctets>
// </sequence>
// </sequence>
// </set>
// Use this online tool to generate code from sample XML:
// Generate Code to Create XML
// A few notes:
// The string "AEUAbgBkAEUAbgB0AGkAdAB5AEMAbABpAGUAbgB0AEEAdQB0AGgAQwBlAHIAdABpAGYAaQBjAGEAdABlAF8AQwBTAFIAUABhAHMAcwB0AGgAcgBvAHUAZwBoAC8AVgAx"
// is the base64 encoding of the utf-16be byte representation of the string "EndEntityClientAuthCertificate_CSRPassthrough/V1"
NSString *s = @"EndEntityClientAuthCertificate_CSRPassthrough/V1";
CkoBinData *bdTemp = [[CkoBinData alloc] init];
[bdTemp AppendString: s charset: @"utf-16be"];
NSString *s_base64_utf16be = [bdTemp GetEncoded: @"base64"];
// The string should be "AEUA....."
NSLog(@"%@",s_base64_utf16be);
// Here's the code to generate the above extension request.
CkoXml *xml = [[CkoXml alloc] init];
xml.Tag = @"set";
[xml UpdateChildContent: @"sequence|sequence|oid" value: @"1.3.6.1.4.1.311.20.2"];
[xml UpdateAttrAt: @"sequence|sequence|asnOctets|universal" autoCreate: YES attrName: @"tag" attrValue: @"30"];
[xml UpdateAttrAt: @"sequence|sequence|asnOctets|universal" autoCreate: YES attrName: @"constructed" attrValue: @"0"];
[xml UpdateChildContent: @"sequence|sequence|asnOctets|universal" value: s_base64_utf16be];
[xml UpdateChildContent: @"sequence|sequence[1]|oid" value: @"2.5.29.15"];
[xml UpdateChildContent: @"sequence|sequence[1]|bool" value: @"1"];
[xml UpdateAttrAt: @"sequence|sequence[1]|asnOctets|bits" autoCreate: YES attrName: @"n" attrValue: @"3"];
// A0 is hex for decimal 160.
[xml UpdateChildContent: @"sequence|sequence[1]|asnOctets|bits" value: @"A0"];
[xml UpdateChildContent: @"sequence|sequence[2]|oid" value: @"2.5.29.37"];
[xml UpdateChildContent: @"sequence|sequence[2]|asnOctets|sequence|oid" value: @"1.3.6.1.5.5.7.3.3"];
// This is the subjectKeyIdentifier extension.
// The string "MCzBMQAViXBz8IDt8LsgmJxJ4Xg=" is base64 that decodes to 20 bytes, which is a SHA1 hash.
// This is simply a hash of the DER of the public key.
CkoPublicKey *pubKey = [[CkoPublicKey alloc] init];
[privKey ToPublicKey: pubKey];
CkoBinData *bdPubKeyDer = [[CkoBinData alloc] init];
[bdPubKeyDer AppendEncoded: [pubKey GetEncoded: YES encoding: @"base64"] encoding: @"base64"];
NSString *ski = [bdPubKeyDer GetHash: @"sha1" encoding: @"base64"];
[xml UpdateChildContent: @"sequence|sequence[3]|oid" value: @"2.5.29.14"];
[xml UpdateChildContent: @"sequence|sequence[3]|asnOctets|octets" value: ski];
// Add the extension request to the CSR
[csr SetExtensionRequest: xml];
// Generate the CSR with the extension request
NSString *csrPem = [csr GenCsrPem: privKey];
if (csr.LastMethodSuccess == NO) {
NSLog(@"%@",csr.LastErrorText);
return;
}
NSLog(@"%@",csrPem);