3

I'm reading very different things about certificates in IoT. I'm struggling to make a choice on how to manage this.

Here's the situation:

  • I'm using ESP32
  • I don't have much storage available
  • I need to send data to a server through HTTPS
  • I need to receive data from this same server
  • I'm using Let's Encrypt on server's side
  • I can do OTA updates but I'd like to avoid it the most possible

Edit :

  • I need server authentication
  • I don't need client authentication

Which certificate do I have to embed into ESP32?

Aliz
  • 131
  • 3

1 Answers1

2

You've not said if you want to do client authentication via certificate as well as the usual server validation.

Assuming just server validation then you need to include the Certificate Authority chain to be able to validate the certificate presented by the HTTP server. In this case it would the Lets Encrypt chain which is available from here: https://letsencrypt.org/certificates/

You will need either the ISRG Root cert and the matching signed intermediate certificate or the the IdenTrust Root CA cert and the matching intermediate. Personally I would pick the first option.

If you want to do client authentication as well then you will need to generate certificates and private keys for each device and include these as well.

hardillb
  • 12,553
  • 1
  • 20
  • 34
  • I just need to do server authentication. How to deal with certificates expiration? – Aliz Apr 04 '19 at 12:10
  • The CA chain certificates have very long lifetimes (the intermediate expires on Oct 6 15:43:55 2021 GMT) it's unlikely to be a problem and if it is then you can do a OTA update. – hardillb Apr 04 '19 at 12:12
  • Ok but what if OTA update doesn't work or if we are too late to update? How to prevent the system not being able to perform HTTPS requests anymore? – Aliz Apr 04 '19 at 12:17
  • You can't, if you can't update the certs then it will stop working – hardillb Apr 04 '19 at 12:21
  • Can't we ignore certification expiration date? – Aliz Apr 04 '19 at 12:25
  • No, because LetsEncrypt will replace the certificate before it expires so the new server certificates (issued every 90 days) will not be signed by the expired certificate so there will be no chain of trust – hardillb Apr 04 '19 at 12:28
  • You said "LetsEncrypt will replace the certificate before it expires". How to know at which time we have to change the certificate? Will there a period during which the two certificats (old and new) will work? – Aliz Apr 04 '19 at 12:32
  • 2
    No, but they will publish the new Intermediate cert well ahead of them switching to it and you will need to include both intermediate certs in a OTA update. This is exactly how ALL CAs work. Please read up on how CA's work. – hardillb Apr 04 '19 at 12:41
  • @Aliz "Can't we ignore certification expiration date? " ESP32 IDF by default ignores certificate date so these problems don't occur. – MandoMando Jul 23 '19 at 13:14
  • 1
    That doesn't matter because by the time the intermediate cert expires the server cert will no longer be signed with it so it will fail – hardillb Jul 23 '19 at 13:30