I baked TLS certificate's authority's certificate to the device firmware.

It it good idea? Do I have other options in esp-idf?

What if Flespi changes cert authority? Will we be notified before our devices stop working?

    • Edited

    HonzaPoboril
    We may suggest two solutions here:

    1. Upload public CA to the device. This is common approach and the only downside here that you tied to our usage of CA and CA lifetime. We do not plan to switch our certificate provider now. But keep in mind that GlobalSign Root CA is valid till January 2028, so less than 5 years left. So it is obvious after 5 years flespi certificate will be signed by some other root certificate.
    2. Use your TLS proxy with custom root CA. Then you can upload to the device custom CA with very long lifetime and maintain all the public root CA changes on the proxy side. We do not provide any guide on how to deploy it.
    Write a Reply...