SSL Certificate Renewal

MindReader32
Posts: 25
Joined: Mon May 14, 2018 8:33 am

SSL Certificate Renewal

Postby MindReader32 » Mon Jan 07, 2019 12:12 pm

Hi,

Please could someone help me clear up how updating SSL certificates for OTA would work on the ESP32 as they are currently compiled into the firmware.

I'm using LetsEncrypt which requires certificates to be renewed every 90 days, although this question applies to all SSL certificates as they all have to be renewed at some point.

1. When the SSL certificate renewal occurs on my website will OTA over SSL on my ESP32 device fail because the baked in certificate no longer matches?

2. Is it possible to read certificates from a file on flash partition as opposed to the certs being baked into the firmware?

3. Is a keychain file that can contain multiple certificates supported?

Thanks
Wayne

WiFive
Posts: 3529
Joined: Tue Dec 01, 2015 7:35 am

Re: SSL Certificate Renewal

Postby WiFive » Tue Jan 08, 2019 2:11 am

Does your browser download a new certificate every 90 days? No, because the browser trusts the root certificate which has a longer expiration. However it can still expire so you have to be prepared to update it and recover from a device being offline for an extended time during which the cert expires. There is some previous discussion about this in other topics.

MindReader32
Posts: 25
Joined: Mon May 14, 2018 8:33 am

Re: SSL Certificate Renewal

Postby MindReader32 » Tue Jan 08, 2019 7:12 am

Indeed, a browser on a PC or mobile device can easily download and store cert updates into a local key store/cert repo; which is what I’m trying to figure out how todo on the ESP32.
I shall continue my search...

ESP_Mahavir
Posts: 188
Joined: Wed Jan 24, 2018 6:51 am

Re: SSL Certificate Renewal

Postby ESP_Mahavir » Tue Jan 08, 2019 10:41 am

2. Is it possible to read certificates from a file on flash partition as opposed to the certs being baked into the firmware?

Please refer https://docs.espressif.com/projects/esp ... n_gen.html, which can be used to create storage partition for certificates and decouple them from firmware image.

MindReader32
Posts: 25
Joined: Mon May 14, 2018 8:33 am

Re: SSL Certificate Renewal

Postby MindReader32 » Tue Jan 08, 2019 11:37 am

Thanks for the info.

How do I make the OTA API use the certificates in the partition, as currently, as per the OTA example, they are setup using:

Code: Select all

extern const uint8_t server_cert_pem_start[] asm("_binary_ca_cert_pem_start");
extern const uint8_t server_cert_pem_end[] asm("_binary_ca_cert_pem_end");
Thanks

MindReader32
Posts: 25
Joined: Mon May 14, 2018 8:33 am

Re: SSL Certificate Renewal

Postby MindReader32 » Tue Jan 08, 2019 11:41 am

I guess I just have to load the certificate from the NVS partition into RAM and set in the `esp_http_client_config_t` config:

Code: Select all

    const char                  *cert_pem;           /*!< SSL Certification, PEM format as string, if the client requires to verify server */
Perhaps the API could support a list of certs, as otherwise I will have to cycle round one or more certificates on the partition?

ESP_Mahavir
Posts: 188
Joined: Wed Jan 24, 2018 6:51 am

Re: SSL Certificate Renewal

Postby ESP_Mahavir » Wed Jan 09, 2019 12:40 pm

Yes, your understanding is correct, cert_pem needs to point to server certificate buffer. Further more this could also be chain (list of certs) and it should just work (gets handled in esp-tls component). If you run into any issues, kindly keep us posted.

Thanks.

MindReader32
Posts: 25
Joined: Mon May 14, 2018 8:33 am

Re: SSL Certificate Renewal

Postby MindReader32 » Tue Jun 18, 2019 8:12 am

Hi,

LetsEncrypt certs expire every 90 days, although this question applies to all cert...
What is the correct/trusted process to update the cert on the ESP32 when the cert on the ESP32 flash partition is out of date and the cert on the server is updated?

Thanks

jcsbanks
Posts: 305
Joined: Tue Mar 28, 2017 8:03 pm

Re: SSL Certificate Renewal

Postby jcsbanks » Tue Jun 18, 2019 1:22 pm

Good question, interested in how I might update root certificates for AWS. They have long expiry dates but theoretically they could be revoked. If a device does not connect between the revocation notice and revocation, it is locked out from the usual way we would update. Could provide a way to update from another server but then how to keep those from revocation etc. Or manual upload from file system but that has security concerns to address.

Adriano
Posts: 9
Joined: Thu Aug 29, 2019 1:04 pm

Re: SSL Certificate Renewal

Postby Adriano » Thu Aug 29, 2019 3:27 pm

I don't know if it is a good solution, but I am developing it in this way:

1. load certificate from SPIFFS.
2. connect to HTTPS_WEBPAGE.
3. if it fails, I connect to HTTP_WEBPAGE/cer.php to download the new certificate.
4. save the new certificate in the SPIFFS.
5. reboot ESP32

It is simple to create a php script for retrieving the certificate. You just need a server able to answer also without https.

Who is online

Users browsing this forum: Baidu [Spider], Majestic-12 [Bot] and 110 guests