On Tuesday 22 May 2007 07:37, Rajat Dudeja wrote: > Hi Folks ! > > I want to create 5 certificates from a single self-signed CA. I 've been > able to create 3 certificates as of now. However, only the first > certificate of mine is working with the root certificate, the other 2 are > not working.
Could you please explain what do you mean by "not working"? > The later 2 certificates are created from the same CA.crt and > CA.key as were used to create the first certificate. > > The differences that lie with all the 3 certificates are as below: > > 1. Common Name > 2. Subject and DNS name in the SubjectAltName > 3. Serial Number of the certificates. (with number 2 and 3 choosen for the > later created 2 certificates) > > Frankly. I do not how to create multiple certifiacates from a single > self-signed CA. Please some one guide me in this. > > Also, my CA.crt and CA.key have already been flashed to the device, so I do > not have any option of re-creating the CA.crt and CA.key. > > I saw some where on a post that separate CA.keys need to be developed as > well for creating multiple certificates. Is this true? Not as far as I know - what you need is separate user keys. You generate a new user key and you use this to sign a csr, e.g.: $ openssl genrsa -des3 -out user2_key.pem 2048 $ openssl req -new -key user2_key.pem -out user2_req.pem Notes: 1. If you are keeping to the convention of naming the extensions *.crt and *.key then change the above, from user2_key.pem to user2.key, from user2_req.pem to user2.csr. You may also want to add the date to the name of the *.csr file, so that when you create a newer version you do not mix them up. 2. 2048 can be any appropriate number of bits (1024, 4096, etc). depending on the required strength of the private key. 3. On a linux machine check the man pages for the relevant openssl commands and options like so: $ man openssl-x509, $ man openssl-genrsa, etc. Then you use your CA.crt and your CA.key to sign the user2_cert.csr with: $ openssl x509 -req -in user2_req.pem -days 365 -CA CA.crt -CAkey \ CA.key -set_serial 01 -out user2_cert.pem That should create a new SSL certificate, signed by your CA, valid for one year, for user2. Repeat for user3 to user5. Of course, there's more than one ways to skin a cat - the above is just one of them. It depends how many certs you will be creating over time; setting up a /etc/ssl/openssl.cnf file with your default settings will help automate the process and minimise the option entries on the command line. -- Regards, Mick
pgpwqq2sjm5Z1.pgp
Description: PGP signature
