Arm Mbed and Pelion device management support forum

Key and Certificate Generation mbedTLS

I am working on a project but I am stuck to the key generation and certificate generation.
I am using an ESP32 board. I need to generate a private and public key, and then to use my private key and the key coming from another device to generate a certificate for that device.
Which example should I follow to do it?
I was watching gen_key.c, rsa_genkey.c examples, but I can’t understand how I can sign another device.
Could someone provide an example or some suggestions?
Thanks in advance for the help.

Hi @rivinoo
If I understand your use case, you would like to generate and sign a certificate for another device.
First, you will need to generate your own self signed certificate with your private key pair. If you already have your self signed certificate, you can skip this step.
Then, You will need generate and sign a certificate, using your priovate key, and adding the other device’s public key. You should look at cert_write, where the issuer key is your private key, and the subject key is the other device’s key. Note that the latter certificate is not a self signed certificate.
Mbed TLS Support

I’m a bit confused, I don’t understand which one is the private key and which one is the public key.
I used gen_key.c example to generate the key.
I have these variables that contains my keys:
mbedtls_pk_context key;
mbedtls_mpi N, P, Q, D, E, DP, DQ, QP;
I also generated the self-certificate following the instructions, but I used only the “key” variable.
Now I have to generate the certificate for the 2nd device “using my private key”, the other device public key, and the self certificate i already generated. But which one is the private key? And how it is supposed to be the other device public key?

Hi Christian,
When you generate a key, you actually generate a key pair.
The key is consisted of a provate component, and a private component. the provate key contains all the componenets, while the public key contains ponly the public components ( N and E)
As for DP,DQ and DP , it is dependent whether you are using CRT in your system or not.
However, for your needs, you probably don’t need to know the components.
Generating a key for the second device, should not be done with your private key. you private key should be used only for signing the certificate. The other device (or its owner) should generate another key, that will affiliated to the other device alone. Its public key should be sent to the entity signing its certificate ( you \ your device ) and this public key is embedded nwithin its certificate. You can look at key_app_writer to learn how to write the public key from the public key.

note that the context mbedtls_pk_context is for both private and public keys. It’s only a matter of what components it holds.