-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Generate CSR and store new certificate #11
Comments
Hi @tadejg,
|
@AdityaHPatwardhan Yes, I know you can use the python script. Maybe I wasn't specific enough in my initial question. I want the device to be able to renew its certificate while deployed in the wild. So I'm looking for a way to do this on the device, in firmware. |
Ah, okay. |
Understood, thanks. In that case, should I leave the issue open? |
@AdityaHPatwardhan any update on this ? |
Hi @tadejg @zafeer-birde We have started development for this feature, this should be available in a few days. |
@AdityaHPatwardhan to confirm is this complete now ? |
Hi @zafeer-birde Sorry, this is still in progress. Should be converged by end of the week or mid next week. |
@AdityaHPatwardhan any update ? |
Hi @zafeer-birde The MR is in the review stage, should be merged by next week. |
@AdityaHPatwardhan can we have some definite timelines for this ? We are waiting to implement a feature on certs regeneration which is currently blocked. |
Hi @zafeer-birde I am sharing this patch with you, It contains the support for appending to the esp_secure_cert partition. please check if it solves your blocker. Additionally, I wanted to understand the reason for this to be a blocker. There are other secure storage implementations as well, were they not suitable for your application ? ( e.g. NVS). |
@AdityaHPatwardhan Do you know if its possible to generate a CSR in runtime, that is signed with the private key in DS store that i can send to a server for signing? The example code you wrote, is to write down that cert you get back. I have looked at MBEDTLS code, and the code path for generating a CSR is bound to having a private key in a pem file you store, and not to access it from DS storage. Dont think there should be any limitations on that, just think its not supported yet, or at least that i know of. The use case for this, is to allow sign a new certificate from a new service with a the key stored in the ESP in factory not replacing the device key. |
@jimmyw I see no reason for it to be prohibited for generating a CSR at runtime using the DS peripheral. If it helps your to fix your issue, I would like to suggest following
If the above suggestion does not help, I think it is better to take this discussion to https://github.com/Mbed-TLS/mbedtls/issues which is the appropriate place for mbedTLS specific questions. |
Is it possible to use the stored private key to generate a CSR and store a newly signed certificate in the
esp_secure_cert
partition?The text was updated successfully, but these errors were encountered: