0

I am considering to upscale an IoT project I'm running with esp32. I want to spend some time figuring out a correct way to provision certificates

I made an infrastructure in mind but don't know if it's secure enough. I want to communicate between my MQTT server and a lot of devices. The thing I want to do now, is generating a self-signed certificate to use as a CA. Then generate for every device a private key with, sign it with the CA and store them in an encrypted NVS partition. When a certificate then nears the end of his life, I would make a new key and certificate and send them using the mutual secured MQTT chanel to replace the previous one. This way the server don't need to store private keys too.

For the CA, I just can't imagine what it would make less secure than a certificate that already is signed by a higher CA as long I'm using my own ecosystem.

Is this approach realistic and secure? Or can I better use something like AWS where everything has been done for me?

Jonas Van Hoof
  • 1
  • 1
  • 2
  • Your approach is good. With AWS IoT certificates generated, they have a very long expiry data. Also you don't have any control on them. Using your own CA, you could have a more fine grained expiry policy. For generating new keys and certs, what's your plan? Trigger using mqtt and lambda to create new keys and return them over mqtt? – brushtakopo Jan 20 '23 at 13:54
  • Yes, although with lambda I'm still using AWS. I prefer using my own MQTT server, so making my own backend too (which doesn't seem that difficult to me). So I'm good with just a self signed certificate, that saves me a lot of money? – Jonas Van Hoof Jan 20 '23 at 14:32

0 Answers0