Hi Mick,
>> I want to create 5 certificates from a single self-signed CA. I 've
been
>> able to create 3 certificates as of now. However, only the first
>> certificate of mine is working with the root certificate, the other 2
are
>> not working.
>Could you please explain what do you mean by "not working"?
The certificate sent in the message to the phone is not getting accepted by
the phone. The phone must respond to the certificate message if it has
received the certificate. In the case with the first working certificate the
phone responds to this message and hence is a proof that the first
certificate is correct. So the problem is with the 2nd and 3rd certificate.
The later 2 certificates are created from the same CA.crt and
>> CA.key as were used to create the first certificate.
>>
>> The differences that lie with all the 3 certificates are as below:
>>
>> 1. Common Name
>> 2. Subject and DNS name in the SubjectAltName
>> 3. Serial Number of the certificates. (with number 2 and 3 choosen for
the
>> later created 2 certificates)
>>
>>Frankly. I do not how to create multiple certifiacates from a single
>> self-signed CA. Please some one guide me in this.
>>
>> Also, my CA.crt and CA.key have already been flashed to the device, so
I do
>> not have any option of re-creating the CA.crt and CA.key.
>>
>> I saw some where on a post that separate CA.keys need to be developed
as
>> well for creating multiple certificates. Is this true?
>Not as far as I know - what you need is separate user keys. You generate
a
>new user key and you use this to sign a csr, e.g.:
>
>$ openssl genrsa -des3 -out user2_key.pem 2048
>$ openssl req -new -key user2_key.pem -out user2_req.pem
Infact, I did exactly the same with the same commands. I generated the new
user keys and the new csrs for the 2nd and 3rd certificate.
>Then you use your CA.crt and your CA.key to sign the user2_cert.csr with:
>$ openssl x509 -req -in user2_req.pem -days 365 -CA CA.crt -CAkey \
>CA.key -set_serial 01 -out user2_cert.pem
>That should create a new SSL certificate, signed by your CA, valid for
one
>year, for user2. Repeat for user3 to user5.
>
>Of course, there's more than one ways to skin a cat - the above is just
one of
>them. It depends how many certs you will be creating over time; setting
up
>a /etc/ssl/openssl.cnf file with your default settings will help automate
the
>process and minimise the option entries on the command line.
>--
>Regards,
>Mick
Did exactly the same. Would you like to have a look of the certificates to
find out what exactly is missing?
Regards,
Rajat
