Sample code for 30+ languages & platforms
Pascal (Lazarus/Delphi)

Generate a CSR with keyUsage, extKeyUsage, and other Extensions

See more CSR Examples

Demonstrates how to generate a CSR containing a 1.2.840.113549.1.9.14 extensionRequest with the following extensions:
  • 1.3.6.1.4.1.311.20.2 enrollCerttypeExtension
  • 2.5.29.15 keyUsage
  • 2.5.29.37 extKeyUsage
  • 2.5.29.14 subjectKeyIdentifier

Chilkat Pascal (Lazarus/Delphi) Downloads

Pascal (Lazarus/Delphi)
program ChilkatDemo;

// Demonstrates using the Chilkat Pascal wrapper via the C bridge DLL.
// Builds as a console application under Lazarus (FPC) or Delphi.

{$IFDEF FPC}
  {$MODE DELPHI}
{$ENDIF}
{$APPTYPE CONSOLE}

uses
  {$IFDEF UNIX}
  cthreads,
  {$ENDIF}
  SysUtils,
  CkDllLoader,
  Chilkat.Xml,
  Chilkat.Csr,
  Chilkat.BinData,
  Chilkat.PrivateKey,
  Chilkat.PublicKey,
  Chilkat.Prng,
  Chilkat.Ecc;

// ---------------------------------------------------------------------------

procedure RunDemo;
var
  success: Boolean;
  ecc: TEcc;
  prng: TPrng;
  privKey: TPrivateKey;
  csr: TCsr;
  s: string;
  bdTemp: TBinData;
  s_base64_utf16be: string;
  xml: TXml;
  pubKey: TPublicKey;
  bdPubKeyDer: TBinData;
  ski: string;
  csrPem: string;

begin
  success := False;

  //  This requires the Chilkat API to have been previously unlocked.
  //  See Global Unlock Sample for sample code.

  //  This example will generate a secp256r1 ECDSA key for the CSR.
  ecc := TEcc.Create;
  prng := TPrng.Create;
  privKey := TPrivateKey.Create;
  success := ecc.GenKey('secp256r1',prng,privKey);
  if (success = False) then
    begin
      WriteLn('Failed to generate a new ECDSA private key.');
      Exit;
    end;

  csr := TCsr.Create;

  //  Add common CSR fields:
  csr.CommonName := 'mysubdomain.mydomain.com';
  csr.Country := 'GB';
  csr.State := 'Yorks';
  csr.Locality := 'York';
  csr.Company := 'Internet Widgits Pty Ltd';
  csr.EmailAddress := 'support@mydomain.com';

  //  Add the following 1.2.840.113549.1.9.14 extensionRequest
  //  Note: The easiest way to know the content and format of the XML to be added is to examine
  //  a pre-existing CSR with the same desired extensionRequest.  You can use Chilkat to
  //  get the extensionRequest from an existing CSR. 

  //  Here is a sample extension request:

  //  <?xml version="1.0" encoding="utf-8"?>
  //  <set>
  //      <sequence>
  //          <sequence>
  //              <oid>1.3.6.1.4.1.311.20.2</oid>
  //              <asnOctets>
  //                  <universal tag="30" constructed="0">AEUAbgBkAEUAbgB0AGkAdAB5AEMAbABpAGUAbgB0AEEAdQB0AGgAQwBlAHIAdABpAGYAaQBjAGEAdABl
  //  AF8AQwBTAFIAUABhAHMAcwB0AGgAcgBvAHUAZwBoAC8AVgAx</universal>
  //              </asnOctets>
  //          </sequence>
  //          <sequence>
  //              <oid>2.5.29.15</oid>
  //              <bool>1</bool>
  //              <asnOctets>
  //                  <bits n="3">A0</bits>
  //              </asnOctets>
  //          </sequence>
  //          <sequence>
  //              <oid>2.5.29.37</oid>
  //              <asnOctets>
  //                  <sequence>
  //                      <oid>1.3.6.1.5.5.7.3.3</oid>
  //                  </sequence>
  //              </asnOctets>
  //          </sequence>
  //          <sequence>
  //              <oid>2.5.29.14</oid>
  //              <asnOctets>
  //                  <octets>MCzBMQAViXBz8IDt8LsgmJxJ4Xg=</octets>
  //              </asnOctets>
  //          </sequence>
  //      </sequence>
  //  </set>

  //  Use this online tool to generate code from sample XML: 
  //  Generate Code to Create XML

  //  A few notes:
  //  The string "AEUAbgBkAEUAbgB0AGkAdAB5AEMAbABpAGUAbgB0AEEAdQB0AGgAQwBlAHIAdABpAGYAaQBjAGEAdABlAF8AQwBTAFIAUABhAHMAcwB0AGgAcgBvAHUAZwBoAC8AVgAx"
  //  is the base64 encoding of the utf-16be byte representation of the string "EndEntityClientAuthCertificate_CSRPassthrough/V1"

  s := 'EndEntityClientAuthCertificate_CSRPassthrough/V1';
  bdTemp := TBinData.Create;
  bdTemp.AppendString(s,'utf-16be');
  s_base64_utf16be := bdTemp.GetEncoded('base64');
  //  The string should be "AEUA....."
  WriteLn(s_base64_utf16be);

  //  Here's the code to generate the above extension request.

  xml := TXml.Create;
  xml.Tag := 'set';
  xml.UpdateChildContent('sequence|sequence|oid','1.3.6.1.4.1.311.20.2');
  xml.UpdateAttrAt('sequence|sequence|asnOctets|universal',True,'tag','30');
  xml.UpdateAttrAt('sequence|sequence|asnOctets|universal',True,'constructed','0');
  xml.UpdateChildContent('sequence|sequence|asnOctets|universal',s_base64_utf16be);
  xml.UpdateChildContent('sequence|sequence[1]|oid','2.5.29.15');
  xml.UpdateChildContent('sequence|sequence[1]|bool','1');
  xml.UpdateAttrAt('sequence|sequence[1]|asnOctets|bits',True,'n','3');
  //  A0 is hex for decimal 160.
  xml.UpdateChildContent('sequence|sequence[1]|asnOctets|bits','A0');
  xml.UpdateChildContent('sequence|sequence[2]|oid','2.5.29.37');
  xml.UpdateChildContent('sequence|sequence[2]|asnOctets|sequence|oid','1.3.6.1.5.5.7.3.3');

  //  This is the subjectKeyIdentifier extension.
  //  The string "MCzBMQAViXBz8IDt8LsgmJxJ4Xg=" is base64 that decodes to 20 bytes, which is a SHA1 hash.
  //  This is simply a hash of the DER of the public key.

  pubKey := TPublicKey.Create;
  privKey.ToPublicKey(pubKey);
  bdPubKeyDer := TBinData.Create;
  bdPubKeyDer.AppendEncoded(pubKey.GetEncoded(True,'base64'),'base64');
  ski := bdPubKeyDer.GetHash('sha1','base64');

  xml.UpdateChildContent('sequence|sequence[3]|oid','2.5.29.14');
  xml.UpdateChildContent('sequence|sequence[3]|asnOctets|octets',ski);

  //  Add the extension request to the CSR
  csr.SetExtensionRequest(xml);

  //  Generate the CSR with the extension request
  csrPem := csr.GenCsrPem(privKey);
  if (csr.LastMethodSuccess = False) then
    begin
      WriteLn(csr.LastErrorText);
      Exit;
    end;

  WriteLn(csrPem);


  ecc.Free;
  prng.Free;
  privKey.Free;
  csr.Free;
  bdTemp.Free;
  xml.Free;
  pubKey.Free;
  bdPubKeyDer.Free;

end;

// ---------------------------------------------------------------------------

begin

  try
    RunDemo;
  except
    on E: Exception do
      WriteLn('Unhandled exception: ', E.ClassName, ': ', E.Message);
  end;

  WriteLn;
  {$IFDEF MSWINDOWS}
  WriteLn('Press Enter to exit...');
  ReadLn;
  {$ENDIF}
end.