Where is the best place to store certificates?

copercini
Posts: 25
Joined: Wed Dec 21, 2016 4:44 pm

Where is the best place to store certificates?

Postby copercini » Wed Apr 05, 2017 2:45 pm

I'm working with AWS IoT and it have 3 TLS certificates to store in the ESP32 board, with the following size (in PEM format):

Certificate: 1224 bytes
Private key: 1675 bytes
CA: 1758 bytes

Actually they are hardcoded in the script.

For OTA updates it will be a problem because every board have different certificates and generate a firmware for each board don't look a good idea.

So, where is the best place to store these certificates? in NVS? Sd card? other? it can corrupt with a power failure?

ESP_Angus
Posts: 2344
Joined: Sun May 08, 2016 4:11 am

Re: Where is the best place to store certificates?

Postby ESP_Angus » Thu Apr 06, 2017 12:22 am

Hi copercini,

The AWS IoT examples that are part of IDF include a configuration option for storing them on the SD card, so that is one option.

If you're concerned about physical access readout of the private key data then enabling flash encryption and storing them in an encrypted data partition on the ESP32's flash is an option. There isn't an example for this, but the support for it is present. The only thing is that as it's the internal flash you would still need a provisioning step for loading keys into each device.

We're currently in the process of merging support for formatting & mounting a FAT filesystem that is located in a partition on the internal flash, which will make it simpler to store data like keys and certs on the ESP32's internal flash. (Both approaches use the ESP-IDF filesystem, so the basics are the same - just that instead of mounting the SD card you will mount the internal FAT filesystem.)


Angus

Who is online

Users browsing this forum: Baidu [Spider], Bing [Bot] and 122 guests