Arm Mbed and Pelion Device Management support forum

Self Certificate and generation of another Certificate of the chain

Hello,
I’m here to ask some things about the certificates. I have generated a self signed certificate using the private key and the public key of my ESP32 board.
Then another Device is coming and is giving to the ESP32 his public key, so that the ESP32 can generate another certificate of the chain.
The thing is that in the example “programs/x509/cert_write.c” the self certificate is used only to compare the public key contained inside with the public key of the generator. doesn’t seems to use the certificate itself to generate another certificate. Seems more like:
ESP32 has a self certificate —> can create another certificate.
The second certificate created doesn’t seem to belong to the same chain, but seems just a new certificate. Did I miss something in the code or about how certificate works?
Thanks in advance for the help and for any clarification.
Christian

Hi @rivinoo
Thank you for your answer.

A certificate is used to authenticate an entity that it is who it says it is. A certificate cannot be used to create a new certificate, since it doesn’t contain a private key. The generator has a key pair, and to confirm its certificate is in fact the correct certificate, the public key in the certificate is compared with the generator’s certificate. Why do you say the second certificate doesn’t belong to the chain? Isn’t the issuer name of the second certificate same is the subject certificate of the first certificate? Isn’t the first certificate’s public key used to verify the second certificate?
A certificate doesn’t necessarily need to be on the same file \ buffer
Regards,
Mbed TLS Support
Ron

Thank you so much for the answer, it’s a really useful explanation.
Another thing:
What’s the point to generate a Self-Certificate first, before the generation of the Certificate for another device, if it is only used to check if the public key in the self-certificate is the same to the generator?
I know that it’s the same, because i just generate it
Regards,
Christian

HI @rivinoo

What’s the point to generate a Self-Certificate first, before the generation of the Certificate for another device, if it is only used to check if the public key in the self-certificate is the same to the generator?

Well, usually, as a client device, there is no need for you to generate a self signed certificate. You should generate a CSR ( Certificate Signing Request ), and along with your public key, send it to a trusted CA ( Certificate Authority) that will generate and sign your certificate.
A self signed certificate, depending on your threat model, is usually the root of the certificate chain, and is usually the CA’s root certificate (what you call generator)

If you are the CA in this matter, as you since you generate the certificate for another device, then when this other device sends their certificate to a third party, in order for the third party to verfuy this certificate, they should compare it against your self signed certificate (assuming it trusts you and that your self signed certificate is a CA certificate)
I hope this explanation was a bit clearer
Regards