search

tsi-software / Secure_ESP8266_MQTT_poc

Secure ESP8266 MQTT proof of concept
GNU General Public License v2.0
21 stars 13 forks source link

What if the certificate expires? #1

Open cwhzzang opened 4 years ago

cwhzzang commented 4 years ago

Hello, thank you for your contributions. I executed your program. It worked very well. But I have a problem. I entered my server credentials in the file "secure_credentials.h". But my server certificate will expire someday. When certificate expire, I will extend and replace the server's certificate in server. After that, do I need to re-modify this file "secure_credentials.h"? Or is ESP_8266 able to connect to the server without modification?

lopic34 commented 4 years ago

Hello, I have the same use case and the same question : what 's about reloading a certificate after expiration (need to reflash ESP) ?

And thank you for the great job !

tsi-software commented 4 years ago

Yes. When the certificate expires you have to:

Please keep in mind that I created this project as a proof of concept. My intention was to show, and prove, the steps required to make a secure connection. As I move forward with another more production ready project, I will make efforts to add a “secure over-the-air certificate update” feature, and other usability features, to this project.

lopic34 commented 4 years ago

Yes. When the certificate expires you have to: generate a new certificate, update secure_credentials.h, recompile the source code, flash the ESP

Please keep in mind that I created this project as a proof of concept. My intention was to show, and prove, the steps required to make a secure connection. As I move forward with another more production ready project, I will make efforts to add a “secure over-the-air certificate update” feature, and other usability features, to this project.

Thank for the process to re-inject the new certificate manually, and I agree, it is OK for a POC.

About the "auto-renew", do you plan about a regulary checking for a certificate on a http authenticated server or "OTA update" process ?

tsi-software commented 4 years ago

My plan is to have a database that keeps track of the expiry dates of all relevant certificates. Then, where appropriate, kick off an automated process to update the certificates that are close to expiring. I feel that “regularly checking” certificates is not as secure because there is a possibility of being spoofed.