I'm deploying a mass amount of ESP32 devices that will communicate with our own deployed server through HTTPS for data and updates. It will also communicate with our broker through mqtts.
I would like to know what are the best practices for storing the certificates in the ESP32 and have a few questions.
- How does the ESP32 verify the cert? I read that you can use either the root, intermediate, or server cert in the ESP32 and it will work.
- As the server will only be accessed by the devices, is it ok to have a self-sign cert on the server so that the cert never expires? What are the security risks?
- If were to purchase a cert from a CA, to get the maximum expiry on the cert, I would use the root CA cert, right? So wouldn't that make the cert expiry not in my control?
Forgive me for my lack of knowledge in the workings of how the chain of trust and certs work. Any help or guidance will be much appreciated. Thank you.
TBH the biggest challenge to a beginner is finding a good article which describes PKI and x509 without being too shallow (like the first 2 pages of google results tend to be). Maybe this one is a good starting point.
Assuming you're talking about verifying the identity of the server, HTTPS client has a option to supply the expected server certificate in
cert_pem- this is the one you'd use with self-signed PKI. A quick googling shows that this requires providing either the root or intermediate server certificate, not the leaf one. Also there's the additional option to validate the server's common name incommon_namewhich you'd probably use with an "official" PKI.The MQTT client has a similar verification method which works with self-signed PKI.
It's totally OK to have a self-signed PKI if there are no third-party clients involved.
The expiration of your root cert requires some thought. Once a cert expires, the ESP32-s HTTPS client will not connect to anything using that cert. I've set it 50 years so I wouldn't get orphan devices which didn't manage to update the expired certificate in time (because they were not connected to Internet) and are cut off the service forever. You still need to foresee root certificate rotation, just keep the orphans in mind.
I've no experience, but in general purchased certificates are needed when you want to allow third parties to verify your service. They definitely come with rather short expiration dates, risking creation of orphan devices.