Page 1 of 2
SSL Certificate Renewal
Posted: Mon Jan 07, 2019 12:12 pm
by MindReader32
Hi,
Please could someone help me clear up how updating SSL certificates for OTA would work on the ESP32 as they are currently compiled into the firmware.
I'm using LetsEncrypt which requires certificates to be renewed every 90 days, although this question applies to all SSL certificates as they all have to be renewed at some point.
1. When the SSL certificate renewal occurs on my website will OTA over SSL on my ESP32 device fail because the baked in certificate no longer matches?
2. Is it possible to read certificates from a file on flash partition as opposed to the certs being baked into the firmware?
3. Is a keychain file that can contain multiple certificates supported?
Thanks
Wayne
Re: SSL Certificate Renewal
Posted: Tue Jan 08, 2019 2:11 am
by WiFive
Does your browser download a new certificate every 90 days? No, because the browser trusts the root certificate which has a longer expiration. However it can still expire so you have to be prepared to update it and recover from a device being offline for an extended time during which the cert expires. There is some previous discussion about this in other topics.
Re: SSL Certificate Renewal
Posted: Tue Jan 08, 2019 7:12 am
by MindReader32
Indeed, a browser on a PC or mobile device can easily download and store cert updates into a local key store/cert repo; which is what I’m trying to figure out how todo on the ESP32.
I shall continue my search...
Re: SSL Certificate Renewal
Posted: Tue Jan 08, 2019 10:41 am
by ESP_Mahavir
2. Is it possible to read certificates from a file on flash partition as opposed to the certs being baked into the firmware?
Please refer
https://docs.espressif.com/projects/esp ... n_gen.html, which can be used to create storage partition for certificates and decouple them from firmware image.
Re: SSL Certificate Renewal
Posted: Tue Jan 08, 2019 11:37 am
by MindReader32
Thanks for the info.
How do I make the OTA API use the certificates in the partition, as currently, as per the OTA example, they are setup using:
Code: Select all
extern const uint8_t server_cert_pem_start[] asm("_binary_ca_cert_pem_start");
extern const uint8_t server_cert_pem_end[] asm("_binary_ca_cert_pem_end");
Thanks
Re: SSL Certificate Renewal
Posted: Tue Jan 08, 2019 11:41 am
by MindReader32
I guess I just have to load the certificate from the NVS partition into RAM and set in the `esp_http_client_config_t` config:
Code: Select all
const char *cert_pem; /*!< SSL Certification, PEM format as string, if the client requires to verify server */
Perhaps the API could support a list of certs, as otherwise I will have to cycle round one or more certificates on the partition?
Re: SSL Certificate Renewal
Posted: Wed Jan 09, 2019 12:40 pm
by ESP_Mahavir
Yes, your understanding is correct, cert_pem needs to point to server certificate buffer. Further more this could also be chain (list of certs) and it should just work (gets handled in esp-tls component). If you run into any issues, kindly keep us posted.
Thanks.
Re: SSL Certificate Renewal
Posted: Tue Jun 18, 2019 8:12 am
by MindReader32
Hi,
LetsEncrypt certs expire every 90 days, although this question applies to all cert...
What is the correct/trusted process to update the cert on the ESP32 when the cert on the ESP32 flash partition is out of date and the cert on the server is updated?
Thanks
Re: SSL Certificate Renewal
Posted: Tue Jun 18, 2019 1:22 pm
by jcsbanks
Good question, interested in how I might update root certificates for AWS. They have long expiry dates but theoretically they could be revoked. If a device does not connect between the revocation notice and revocation, it is locked out from the usual way we would update. Could provide a way to update from another server but then how to keep those from revocation etc. Or manual upload from file system but that has security concerns to address.
Re: SSL Certificate Renewal
Posted: Thu Aug 29, 2019 3:27 pm
by Adriano
I don't know if it is a good solution, but I am developing it in this way:
1. load certificate from SPIFFS.
2. connect to HTTPS_WEBPAGE.
3. if it fails, I connect to HTTP_WEBPAGE/cer.php to download the new certificate.
4. save the new certificate in the SPIFFS.
5. reboot ESP32
It is simple to create a php script for retrieving the certificate. You just need a server able to answer also without https.