Jean M 7 Posted November 12, 2019 Share Posted November 12, 2019 Hi, I'm trying to create a peer certificate (in this case the Server certificate) but it is failing with the following message: Failed to create certificate: Creating and signing peer certificate failed. Check peer certificate validity, certification authority validity and their overlap.: Trace info: CreatePeerCertificate: Peer certificate validity is not fully covered by certification authority validity It looks like some validation between the CA I provide and the certificate SMC is generating for signature is failing some validation. Could someone help me understand what are the requirements of both to make this work? The only difference compared to a CA generated from SMC is the number of bits of the RSA key.. Thanks! Link to comment Share on other sites More sharing options...
ESET Staff MartinK 384 Posted November 12, 2019 ESET Staff Share Posted November 12, 2019 Problem seems to be selected validity of certificate. New certificate validity cannot exceed validity of certificate authority used for signature. So for example in case CA certificate is valid for new 7 years, you cannot use it to create/sign certificate that is supposed to be valid for next 10 years. I would recommend to check CA certificate validity and configure new to-be-signed certificate to not exceed validity of CA certificate. Link to comment Share on other sites More sharing options...
Jean M 7 Posted November 12, 2019 Author Share Posted November 12, 2019 OK.. makes sense now... thanks! Link to comment Share on other sites More sharing options...
Jean M 7 Posted November 13, 2019 Author Share Posted November 13, 2019 (edited) Just an additional word on this for other users information. When we create a peer certificate in ESET we specify the validity period dates (start, end) be aware that it will assume 00:00 hours and minutes of start date. This means that if we created the custom root CA that is provided on the same day (for example 2019-11-12 13:20), very probably ESET will fail because it is trying to sign a certificate whose validity starts before that of root CA (2019-11-12 00:00). Edited November 13, 2019 by Jean M Link to comment Share on other sites More sharing options...
Recommended Posts