Table of Contents
Advertisement
Chapter 2. API Reference
Note: Trusting all root certificates means the list will have to be updated if any of the certificates are retracted. This
includes removing them from cacrt_all.pem.
Configuration
Most configuration is done through menuconfig. Make and CMake will generate the bundle according to the config-
uration and embed it.
• CONFIG_MBEDTLS_CERTIFICATE_BUNDLE: automatically build and attach the bundle.
• CONFIG_MBEDTLS_DEFAULT_CERTIFICATE_BUNDLE: decide which certificates to include from the com-
plete root list.
• CONFIG_MBEDTLS_CUSTOM_CERTIFICATE_BUNDLE_PATH: specify the path of any additional certifi-
cates to embed in the bundle.
To enable the bundle when using ESP-TLS simply pass the function pointer to the bundle attach function:
esp_tls_cfg_t cfg
=
.crt_bundle_attach
};
This is done to avoid embedding the certificate bundle unless activated by the user.
If using mbedTLS directly then the bundle may be activated by directly calling the attach function during the setup
process:
mbedtls_ssl_config conf;
mbedtls_ssl_config_init(&conf);
esp_crt_bundle_attach(&conf);
Generating the List of Root Certificates
The list of root certificates comes from Mozilla's NSS root certificate store, which can be found
be downloaded and created by running the script mk-ca-bundle.pl that is distributed as a part of curl. Another
alternative would be to download the finished list directly from the curl website:
Mozilla
The common certificates bundle were made by selecting the authorities with a market share of more than 1 % from
w3tech's
SSL
Survey. These authorities were then used to pick the names of the certificates for the filter list,
cmn_crt_authorities.csv, from
Updating the Certificate Bundle
The bundle is embedded into the app and can be updated along with the app by an OTA update. If you want to include
a more up-to-date bundle than the bundle currently included in IDF, then the certificate list can be downloaded from
Mozilla as described in
Updating the Certificate
Application Example
Simple HTTPS example that uses ESP-TLS to establish a secure socket connection using the certificate bundle with
two custom certificates added for verification: protocols/https_x509_bundle.
HTTPS example that uses ESP-TLS and the default bundle: protocols/https_request.
HTTPS example that uses mbedTLS and the default bundle: protocols/https_mbedtls.
Espressif Systems
{
=
esp_crt_bundle_attach,
this list
provided by Mozilla.
Bundle.
Submit Document Feedback
663
here
The list can
CA certificates extracted from
Release v4.4
Advertisement
Table of Contents
Need help?
Do you have a question about the ESP32-S2 and is the answer not in the manual?