Custom CA - Peer Certificate

[Jean M 7]

Hi,

I'm trying to create a peer certificate (in this case the Server certificate) but it is failing with the following message:

Failed to create certificate: Creating and signing peer certificate failed. Check peer certificate validity, certification authority validity and their overlap.: Trace info: CreatePeerCertificate: Peer certificate validity is not fully covered by certification authority validity

It looks like some validation between the CA I provide and the certificate SMC is generating for signature is failing some validation. Could someone help me understand what are the requirements of both to make this work?

The only difference compared to a CA generated from SMC is the number of bits of the RSA key..

Thanks!

[MartinK 378]

Problem seems to be selected validity of certificate. New certificate validity cannot exceed validity of certificate authority used for signature. So for example in case CA certificate is valid for new 7 years, you cannot use it to create/sign certificate that is supposed to be valid for next 10 years.

I would recommend to check CA certificate validity and configure new to-be-signed certificate to not exceed validity of CA certificate.

[Jean M 7]

OK.. makes sense now... thanks!

[Jean M 7]

Just an additional word on this for other users information.

When we create a peer certificate in ESET we specify the validity period dates (start, end) be aware that it will assume 00:00 hours and minutes of start date. This means that if we created the custom root CA that is provided on the same day (for example 2019-11-12 13:20), very probably ESET will fail because it is trying to sign a certificate whose validity starts before that of root CA (2019-11-12 00:00).

Edited November 13, 2019 by Jean M