Pascal (Lazarus/Delphi)
Pascal (Lazarus/Delphi)
Renew a DigiCert Certificate from an EST-enabled profile
See more Certificates Examples
Demonstrates how to renew a certificate from an EST-enabled profile in DigiCert® Trust Lifecycle Manager. (The certificate must be within the renewal window configured in the certificate profile. The CSR must have same Subject DN values as the original certificate.)Chilkat Pascal (Lazarus/Delphi) Downloads
program ChilkatDemo;
// Demonstrates using the Chilkat Pascal wrapper via the C bridge DLL.
// Builds as a console application under Lazarus (FPC) or Delphi.
{$IFDEF FPC}
{$MODE DELPHI}
{$ENDIF}
{$APPTYPE CONSOLE}
uses
{$IFDEF UNIX}
cthreads,
{$ENDIF}
SysUtils,
CkDllLoader,
Chilkat.Csr,
Chilkat.HttpResponse,
Chilkat.BinData,
Chilkat.PrivateKey,
Chilkat.Cert,
Chilkat.Prng,
Chilkat.Http,
Chilkat.Ecc;
// ---------------------------------------------------------------------------
procedure RunDemo;
var
success: Boolean;
fortuna: TPrng;
entropy: string;
ec: TEcc;
privKey: TPrivateKey;
csr: TCsr;
bdCsr: TBinData;
http: THttp;
tlsClientCert: TCert;
bdTlsClientCertPrivKey: TBinData;
tlsClientCertPrivKey: TPrivateKey;
resp: THttpResponse;
url: string;
myNewCert: TCert;
begin
success := False;
// This example requires the Chilkat API to have been previously unlocked.
// See Global Unlock Sample for sample code.
// The example below duplicates the following OpenSSL commands:
//
// # Name of certificate as argument 1
//
// # Make new key
// openssl ecparam -name prime256v1 -genkey -noout -out ${1}.key.pem
//
// # Make csr
// openssl req -new -sha256 -key ${1}.key.pem -out ${1}.p10.csr -subj "/CN=${1}"
//
// # Request new cert
// curl -v --cacert data/ca.pem --cert data/${1}.pem --key data/${1}.key.pem
// --data-binary @${1}.p10.csr -o ${1}.p7.b64 -H "Content-Type: application/pkcs10" https://clientauth.demo.one.digicert.com/.well-known/est/IOT/simplereenroll
//
// # Convert to PEM
// openssl base64 -d -in ${1}.p7.b64 | openssl pkcs7 -inform DER -outform PEM -print_certs -out ${1}.pem
// ------------------------------------------------------------------------------------------------------------------
// Create a Fortuna PRNG and seed it with system entropy.
// This will be our source of random data for generating the ECC private key.
fortuna := TPrng.Create;
entropy := fortuna.GetEntropy(32,'base64');
success := fortuna.AddEntropy(entropy,'base64');
ec := TEcc.Create;
// Generate a random EC private key on the prime256v1 curve.
privKey := TPrivateKey.Create;
success := ec.GenKey('prime256v1',fortuna,privKey);
if (success <> True) then
begin
WriteLn(ec.LastErrorText);
Exit;
end;
// Create the CSR object and set properties.
csr := TCsr.Create;
// Specify your CN
csr.CommonName := 'mysubdomain.mydomain.com';
// Create the CSR using the private key.
bdCsr := TBinData.Create;
success := csr.GenCsrBd(privKey,bdCsr);
if (success = False) then
begin
WriteLn(csr.LastErrorText);
Exit;
end;
// Save the private key and CSR to files.
privKey.SavePkcs8EncryptedPemFile('password','c:/temp/qa_output/ec_privkey.pem');
bdCsr.WriteFile('c:/temp/qa_output/csr.pem');
// ----------------------------------------------------------------------
// Now do the CURL request to POST the CSR and get the new certificate.
http := THttp.Create;
tlsClientCert := TCert.Create;
success := tlsClientCert.LoadFromFile('data/myTlsClientCert.pem');
if (success = False) then
begin
WriteLn(tlsClientCert.LastErrorText);
Exit;
end;
bdTlsClientCertPrivKey := TBinData.Create;
success := bdTlsClientCertPrivKey.LoadFile('data/myTlsClientCert.key.pem');
if (success = False) then
begin
WriteLn('Failed to load data/myTlsClientCert.key.pem');
Exit;
end;
tlsClientCertPrivKey := TPrivateKey.Create;
success := tlsClientCertPrivKey.LoadAnyFormat(bdTlsClientCertPrivKey,'');
if (success = False) then
begin
WriteLn(tlsClientCertPrivKey.LastErrorText);
Exit;
end;
success := tlsClientCert.SetPrivateKey(tlsClientCertPrivKey);
if (success = False) then
begin
WriteLn(tlsClientCert.LastErrorText);
Exit;
end;
http.SetSslClientCert(tlsClientCert);
http.RequireSslCertVerify := True;
// The body of the HTTP request contains the binary CSR.
resp := THttpResponse.Create;
url := 'https://clientauth.demo.one.digicert.com/.well-known/est/IOT/simplereenroll';
success := http.HttpBd('POST',url,bdCsr,'application/pkcs10',resp);
if (success = False) then
begin
WriteLn(http.LastErrorText);
Exit;
end;
if (resp.StatusCode <> 200) then
begin
WriteLn('response status code = ' + resp.StatusCode);
WriteLn(resp.BodyStr);
WriteLn('Failed');
Exit;
end;
// The response is the Base64 DER of the new certificate.
myNewCert := TCert.Create;
success := myNewCert.LoadFromBase64(resp.BodyStr);
if (success = False) then
begin
WriteLn(myNewCert.LastErrorText);
WriteLn('Cert data = ' + resp.BodyStr);
WriteLn('Failed.');
Exit;
end;
success := myNewCert.SaveToFile('c:/temp/qa_output/myNewCert.cer');
if (success = False) then
begin
WriteLn(myNewCert.LastErrorText);
WriteLn('Failed.');
Exit;
end;
WriteLn('Success.');
fortuna.Free;
ec.Free;
privKey.Free;
csr.Free;
bdCsr.Free;
http.Free;
tlsClientCert.Free;
bdTlsClientCertPrivKey.Free;
tlsClientCertPrivKey.Free;
resp.Free;
myNewCert.Free;
end;
// ---------------------------------------------------------------------------
begin
try
RunDemo;
except
on E: Exception do
WriteLn('Unhandled exception: ', E.ClassName, ': ', E.Message);
end;
WriteLn;
{$IFDEF MSWINDOWS}
WriteLn('Press Enter to exit...');
ReadLn;
{$ENDIF}
end.