Tip: Working SSL/TLS certs for servers on ESP8266 #18794
-
|
Dropping this here, in the hopes of saving others some frustration and documenting this for my future self. I am working on a device (a remote switch) based on an ESP8266. It implements a very simple HTTP server and of course I wanted to use SSL to secure the connection. But I kept running into issues with the RSA key I generated along with the certificate. Any connection to the server triggered an The ESP8266 is a very constrained device and the SSL implementation for its MicroPython port is based on axTLS, not the more capable mBed TLS used by some other ports. It appears that axTLS doesn't like PKCS#8 packaged RSA private keys; they seem to fail axTLS's key validation code. The solve turned out be telling When preparing your RSA private keys to deploy on an ESP8266 running micropython, you can use something like this: openssl rsa -in original_key.pem -out key.der -traditional -outform DERIt's the |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 4 replies
-
|
Here is a full working example for creating self-signed RSA key and x509 certificate that works on an ESP8266 running micropython. See the attached config files, too. This is confirmed to work with v1.27.0 for ESP8266, downloaded from micropython.org, running on an Adafruit Huzzah breakout. I have not tried it with the 1MiB or 512KiB versions of the firware; boards like the ESP-01 are so resource constrained, I don't touch them these days. #generate the RSA private key
openssl genpkey -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out priv.key
#Convert the private key to PKCS#1 and DER
#THIS IS THE CRUCIAL STEP FOR THE KEY ON AN ESP8266
openssl rsa -inform PEM -outform DER -traditional -passin pass: -in priv.key -out key.der
#Create the CSR (see csrconfig.txt)
openssl req -new -nodes -key priv.key -config csrconfig.txt -nameopt utf8 -utf8 -out cert.csr
#Self-sign your CSR (see certconfig.txt)
openssl req -x509 -nodes -in cert.csr -days 1095 -key priv.key -config certconfig.txt -extensions req_ext -nameopt utf8 -utf8 -out cert.crt
#convert cert to DER
openssl x509 -in cert.crt -out cert.der -outform DERCopy with open("cert.der","rb") as f:
cert = f.read()
f.close()
with open("key.der","rb") as f:
key = f.read()
f.close()Pass |
Beta Was this translation helpful? Give feedback.
Here is a full working example for creating self-signed RSA key and x509 certificate that works on an ESP8266 running micropython. See the attached config files, too.
This is confirmed to work with v1.27.0 for ESP8266, downloaded from micropython.org, running on an Adafruit Huzzah breakout. I have not tried it with the 1MiB or 512KiB versions of the firware; boards like the ESP-01 are so resource constrained, I don't touch them these days.