Oooh I see, I was getting confused.

Hopefully I can store the letsencrypt X1 cert on the ESP and use that, along with a client cert, the 2035 expiry of X1 is enough for me.
Then just need to use IDF for the update.

Yeah sorry I wasn't very clear. I meant when the user initiates an update, how do I provide HttpsOTA.begin() with a client cert. But also seems I've figured it out. I was confused by the example here: https://github.com/espressif/arduino-esp32/tree/master/libraries/Update/examples/HTTPS_OTA_Update W...

Thanks very much for your help. Is there a way to provide a client certificate when doing a https ota update via arduino? I can't find any info on doing it.

Hi, Thanks very much for your reply, it's extremely helpful. I think the missing part of the puzzle to me was the client certificate - I couldn't work out otherwise how to secure the downloading of firmware updates. So if I understand correctly, a user can't copy the flash because it's encrypted wit...

Hi everyone, I'm working on a product - a custom PCB containing an ESP32 that needs to accept OTA updates, but that I'd like to protect against people copying the flash onto other boards. The situations I'd like to protect against are: A user reading the flash and flashing it to another ESP32 to clo...