0

I've got some IOT devices out in the field that use ESP32. They have the old expired "DST Root CA X3" cert issue and now fail to connect over https to download a firmware update file. The devices use the IDF library for https OTA which I think uses mbedtls.

Would it theoretically be possible to set up a server (assume I have complete control of it and the domain name that the devices contact) such that the https connection succeeds and the devices can update their firmware (including updated root CA certs)?

Would this be practical to implement? If so how would I do it?

Felix
  • 1,346
  • 1
  • 12
  • 25
  • 1
    An own server will only work if you can control the update URL used by the device. Because otherwise you would have to use the original server DNS name for which you don't get a certificate that will be accepted by the device. May be it would be faster to search for a way to offline update the device. – Robert May 22 '23 at 07:42
  • It's probably easier to get an update server TLS certificate signed by a CA trusted by the IOT device that *isn't* expired. – President James K. Polk May 22 '23 at 15:20
  • If the SSL handshake is aborted by the device because the locally trusted root CA is expired AND this is the only CA trusted on the device AND you cannot adjust the clock on the device so that it thinks the root CA is still valid - then no server side changes will help. If any of these assumed conditions is not true, then server side changes are maybe helpful. But details depend on these missing details about the IoT setup you've not provided in your question. – Steffen Ullrich May 22 '23 at 15:51

0 Answers0