SSL Certificate Renewal
-
- Posts: 25
- Joined: Mon May 14, 2018 8:33 am
SSL Certificate Renewal
Hi,
Please could someone help me clear up how updating SSL certificates for OTA would work on the ESP32 as they are currently compiled into the firmware.
I'm using LetsEncrypt which requires certificates to be renewed every 90 days, although this question applies to all SSL certificates as they all have to be renewed at some point.
1. When the SSL certificate renewal occurs on my website will OTA over SSL on my ESP32 device fail because the baked in certificate no longer matches?
2. Is it possible to read certificates from a file on flash partition as opposed to the certs being baked into the firmware?
3. Is a keychain file that can contain multiple certificates supported?
Thanks
Wayne
Please could someone help me clear up how updating SSL certificates for OTA would work on the ESP32 as they are currently compiled into the firmware.
I'm using LetsEncrypt which requires certificates to be renewed every 90 days, although this question applies to all SSL certificates as they all have to be renewed at some point.
1. When the SSL certificate renewal occurs on my website will OTA over SSL on my ESP32 device fail because the baked in certificate no longer matches?
2. Is it possible to read certificates from a file on flash partition as opposed to the certs being baked into the firmware?
3. Is a keychain file that can contain multiple certificates supported?
Thanks
Wayne
Re: SSL Certificate Renewal
Does your browser download a new certificate every 90 days? No, because the browser trusts the root certificate which has a longer expiration. However it can still expire so you have to be prepared to update it and recover from a device being offline for an extended time during which the cert expires. There is some previous discussion about this in other topics.
-
- Posts: 25
- Joined: Mon May 14, 2018 8:33 am
Re: SSL Certificate Renewal
Indeed, a browser on a PC or mobile device can easily download and store cert updates into a local key store/cert repo; which is what I’m trying to figure out how todo on the ESP32.
I shall continue my search...
I shall continue my search...
-
- Posts: 190
- Joined: Wed Jan 24, 2018 6:51 am
Re: SSL Certificate Renewal
2. Is it possible to read certificates from a file on flash partition as opposed to the certs being baked into the firmware?
Please refer https://docs.espressif.com/projects/esp ... n_gen.html, which can be used to create storage partition for certificates and decouple them from firmware image.
Mahavir
https://github.com/mahavirj/
https://github.com/mahavirj/
-
- Posts: 25
- Joined: Mon May 14, 2018 8:33 am
Re: SSL Certificate Renewal
Thanks for the info.
How do I make the OTA API use the certificates in the partition, as currently, as per the OTA example, they are setup using:
Thanks
How do I make the OTA API use the certificates in the partition, as currently, as per the OTA example, they are setup using:
Code: Select all
extern const uint8_t server_cert_pem_start[] asm("_binary_ca_cert_pem_start");
extern const uint8_t server_cert_pem_end[] asm("_binary_ca_cert_pem_end");
-
- Posts: 25
- Joined: Mon May 14, 2018 8:33 am
Re: SSL Certificate Renewal
I guess I just have to load the certificate from the NVS partition into RAM and set in the `esp_http_client_config_t` config:
Perhaps the API could support a list of certs, as otherwise I will have to cycle round one or more certificates on the partition?
Code: Select all
const char *cert_pem; /*!< SSL Certification, PEM format as string, if the client requires to verify server */
-
- Posts: 190
- Joined: Wed Jan 24, 2018 6:51 am
Re: SSL Certificate Renewal
Yes, your understanding is correct, cert_pem needs to point to server certificate buffer. Further more this could also be chain (list of certs) and it should just work (gets handled in esp-tls component). If you run into any issues, kindly keep us posted.
Thanks.
Thanks.
Mahavir
https://github.com/mahavirj/
https://github.com/mahavirj/
-
- Posts: 25
- Joined: Mon May 14, 2018 8:33 am
Re: SSL Certificate Renewal
Hi,
LetsEncrypt certs expire every 90 days, although this question applies to all cert...
What is the correct/trusted process to update the cert on the ESP32 when the cert on the ESP32 flash partition is out of date and the cert on the server is updated?
Thanks
LetsEncrypt certs expire every 90 days, although this question applies to all cert...
What is the correct/trusted process to update the cert on the ESP32 when the cert on the ESP32 flash partition is out of date and the cert on the server is updated?
Thanks
Re: SSL Certificate Renewal
Good question, interested in how I might update root certificates for AWS. They have long expiry dates but theoretically they could be revoked. If a device does not connect between the revocation notice and revocation, it is locked out from the usual way we would update. Could provide a way to update from another server but then how to keep those from revocation etc. Or manual upload from file system but that has security concerns to address.
Re: SSL Certificate Renewal
I don't know if it is a good solution, but I am developing it in this way:
1. load certificate from SPIFFS.
2. connect to HTTPS_WEBPAGE.
3. if it fails, I connect to HTTP_WEBPAGE/cer.php to download the new certificate.
4. save the new certificate in the SPIFFS.
5. reboot ESP32
It is simple to create a php script for retrieving the certificate. You just need a server able to answer also without https.
1. load certificate from SPIFFS.
2. connect to HTTPS_WEBPAGE.
3. if it fails, I connect to HTTP_WEBPAGE/cer.php to download the new certificate.
4. save the new certificate in the SPIFFS.
5. reboot ESP32
It is simple to create a php script for retrieving the certificate. You just need a server able to answer also without https.