Hello,
I’m here to ask some things about the certificates. I have generated a self signed certificate using the private key and the public key of my ESP32 board.
Then another Device is coming and is giving to the ESP32 his public key, so that the ESP32 can generate another certificate of the chain.
The thing is that in the example “programs/x509/cert_write.c” the self certificate is used only to compare the public key contained inside with the public key of the generator. doesn’t seems to use the certificate itself to generate another certificate. Seems more like:
ESP32 has a self certificate —> can create another certificate.
The second certificate created doesn’t seem to belong to the same chain, but seems just a new certificate. Did I miss something in the code or about how certificate works?
Thanks in advance for the help and for any clarification.
Christian

Hi @rivinoo
Thank you for your answer.

A certificate is used to authenticate an entity that it is who it says it is. A certificate cannot be used to create a new certificate, since it doesn’t contain a private key. The generator has a key pair, and to confirm its certificate is in fact the correct certificate, the public key in the certificate is compared with the generator’s certificate. Why do you say the second certificate doesn’t belong to the chain? Isn’t the issuer name of the second certificate same is the subject certificate of the first certificate? Isn’t the first certificate’s public key used to verify the second certificate?
A certificate doesn’t necessarily need to be on the same file \ buffer
Regards,
Mbed TLS Support
Ron

Thank you so much for the answer, it’s a really useful explanation.
Another thing:
What’s the point to generate a Self-Certificate first, before the generation of the Certificate for another device, if it is only used to check if the public key in the self-certificate is the same to the generator?
I know that it’s the same, because i just generate it
Regards,
Christian

HI @rivinoo

What’s the point to generate a Self-Certificate first, before the generation of the Certificate for another device, if it is only used to check if the public key in the self-certificate is the same to the generator?

Well, usually, as a client device, there is no need for you to generate a self signed certificate. You should generate a CSR ( Certificate Signing Request ), and along with your public key, send it to a trusted CA ( Certificate Authority) that will generate and sign your certificate.
A self signed certificate, depending on your threat model, is usually the root of the certificate chain, and is usually the CA’s root certificate (what you call generator)

If you are the CA in this matter, as you since you generate the certificate for another device, then when this other device sends their certificate to a third party, in order for the third party to verfuy this certificate, they should compare it against your self signed certificate (assuming it trusts you and that your self signed certificate is a CA certificate)
I hope this explanation was a bit clearer
Regards

One last question, is it possible to generate an Intermediate Certificate from the CA with the library?
Regards,
Christian

HI @rivinoo

Yes you can!
Basically, an intermediate Certificate is a certificate that is not the root in the chain, but not the end certificate, as its name indicate. So, if you look at the cert_write, you will see how to use the library to generate certficates. You will need to use differnt keys for issuer_key and subject key, and different issuer_name and subject_name. Also selfsign should be 0.
Regards