Re: Unabe to create multiple certificates from a single self-signed CA.
Hi Mick, I want to create 5 certificates from a single self-signed CA. I 've been able to create 3 certificates as of now. However, only the first certificate of mine is working with the root certificate, the other 2 are not working. Could you please explain what do you mean by not working? The certificate sent in the message to the phone is not getting accepted by the phone. The phone must respond to the certificate message if it has received the certificate. In the case with the first working certificate the phone responds to this message and hence is a proof that the first certificate is correct. So the problem is with the 2nd and 3rd certificate. The later 2 certificates are created from the same CA.crt and CA.key as were used to create the first certificate. The differences that lie with all the 3 certificates are as below: 1. Common Name 2. Subject and DNS name in the SubjectAltName 3. Serial Number of the certificates. (with number 2 and 3 choosen for the later created 2 certificates) Frankly. I do not how to create multiple certifiacates from a single self-signed CA. Please some one guide me in this. Also, my CA.crt and CA.key have already been flashed to the device, so I do not have any option of re-creating the CA.crt and CA.key. I saw some where on a post that separate CA.keys need to be developed as well for creating multiple certificates. Is this true? Not as far as I know - what you need is separate user keys. You generate a new user key and you use this to sign a csr, e.g.: $ openssl genrsa -des3 -out user2_key.pem 2048 $ openssl req -new -key user2_key.pem -out user2_req.pem Infact, I did exactly the same with the same commands. I generated the new user keys and the new csrs for the 2nd and 3rd certificate. Then you use your CA.crt and your CA.key to sign the user2_cert.csr with: $ openssl x509 -req -in user2_req.pem -days 365 -CA CA.crt -CAkey \ CA.key -set_serial 01 -out user2_cert.pem That should create a new SSL certificate, signed by your CA, valid for one year, for user2. Repeat for user3 to user5. Of course, there's more than one ways to skin a cat - the above is just one of them. It depends how many certs you will be creating over time; setting up a /etc/ssl/openssl.cnf file with your default settings will help automate the process and minimise the option entries on the command line. -- Regards, Mick Did exactly the same. Would you like to have a look of the certificates to find out what exactly is missing? Regards, Rajat
Re: Unabe to create multiple certificates from a single self-signed CA.
On Wednesday 23 May 2007 08:05, Rajat Dudeja wrote: Could you please explain what do you mean by not working? The certificate sent in the message to the phone is not getting accepted by the phone. The phone must respond to the certificate message if it has received the certificate. In the case with the first working certificate the phone responds to this message and hence is a proof that the first certificate is correct. So the problem is with the 2nd and 3rd certificate. Just a thought: Have you imported and accepted the root CA.crt in the phone? Any further certs signed by the accepted CA *should* be readily accepted by the client. Did exactly the same. Would you like to have a look of the certificates to find out what exactly is missing? If you parse each user.crt with e.g.: $ openssl x509 -text -in user1.crt you should be able to make the comparisons your self. The man page suggests different parsing options to check the contents of certs; e.g. -purpose, etc. -- Regards, Mick pgpJiK8c2mMIZ.pgp Description: PGP signature
Unabe to create multiple certificates from a single self-signed CA.
Hi Folks ! I want to create 5 certificates from a single self-signed CA. I 've been able to create 3 certificates as of now. However, only the first certificate of mine is working with the root certificate, the other 2 are not working. The later 2 certificates are created from the same CA.crt and CA.key as were used to create the first certificate. The differences that lie with all the 3 certificates are as below: 1. Common Name 2. Subject and DNS name in the SubjectAltName 3. Serial Number of the certificates. (with number 2 and 3 choosen for the later created 2 certificates) Frankly. I do not how to create multiple certifiacates from a single self-signed CA. Please some one guide me in this. Also, my CA.crt and CA.key have already been flashed to the device, so I do not have any option of re-creating the CA.crt and CA.key. I saw some where on a post that separate CA.keys need to be developed as well for creating multiple certificates. Is this true? If Yes, do I need to create the new CA.key for every new certificate to be certified by this single CA, keepig in consideration that CA.crt and 1 CA.key have already been flashed to the device? Please some help and elaborate me on this. Thanks and regards, Rajat
Re: Unabe to create multiple certificates from a single self-signed CA.
On Tuesday 22 May 2007 07:37, Rajat Dudeja wrote: Hi Folks ! I want to create 5 certificates from a single self-signed CA. I 've been able to create 3 certificates as of now. However, only the first certificate of mine is working with the root certificate, the other 2 are not working. Could you please explain what do you mean by not working? The later 2 certificates are created from the same CA.crt and CA.key as were used to create the first certificate. The differences that lie with all the 3 certificates are as below: 1. Common Name 2. Subject and DNS name in the SubjectAltName 3. Serial Number of the certificates. (with number 2 and 3 choosen for the later created 2 certificates) Frankly. I do not how to create multiple certifiacates from a single self-signed CA. Please some one guide me in this. Also, my CA.crt and CA.key have already been flashed to the device, so I do not have any option of re-creating the CA.crt and CA.key. I saw some where on a post that separate CA.keys need to be developed as well for creating multiple certificates. Is this true? Not as far as I know - what you need is separate user keys. You generate a new user key and you use this to sign a csr, e.g.: $ openssl genrsa -des3 -out user2_key.pem 2048 $ openssl req -new -key user2_key.pem -out user2_req.pem Notes: 1. If you are keeping to the convention of naming the extensions *.crt and *.key then change the above, from user2_key.pem to user2.key, from user2_req.pem to user2.csr. You may also want to add the date to the name of the *.csr file, so that when you create a newer version you do not mix them up. 2. 2048 can be any appropriate number of bits (1024, 4096, etc). depending on the required strength of the private key. 3. On a linux machine check the man pages for the relevant openssl commands and options like so: $ man openssl-x509, $ man openssl-genrsa, etc. Then you use your CA.crt and your CA.key to sign the user2_cert.csr with: $ openssl x509 -req -in user2_req.pem -days 365 -CA CA.crt -CAkey \ CA.key -set_serial 01 -out user2_cert.pem That should create a new SSL certificate, signed by your CA, valid for one year, for user2. Repeat for user3 to user5. Of course, there's more than one ways to skin a cat - the above is just one of them. It depends how many certs you will be creating over time; setting up a /etc/ssl/openssl.cnf file with your default settings will help automate the process and minimise the option entries on the command line. -- Regards, Mick pgpwqq2sjm5Z1.pgp Description: PGP signature