How to locate Root Certificate to complete Chain Trust for TLS connection on 8883 ESP32 Chip

#1

Hi there,
i playing with mqtt and ESP32 CHIP. I would like to connect in most secure way so i thought maybe try with TLS connection at the beginning and later i could also encrypt data which is sent to broker.
I successfully managed to connect with mosquitto on linux using /etc/ssl/certs path to CA certificates.

I would like now to copy the certificate i need into flash memory that my app written in C can use it while it connects to broker on port 8883. How can i guess which one CA is the right one i need from /etc/ssl/certs ?

Many thanks in advance, Marcin

Server unavailable error
#2

Hello Marcin,

There are several methods you can use to know what’s the root certificate you have to feed into your ssl engine:

  1. Maybe the easier is to use crt.sh to list current certificate installed:

    https://crt.sh/?q=node02.myqtthub.com

  2. Inside there, you can click on the issuer supporting latest certificate:

    image
    image.png1469x251 59.7 KB

  3. What you see at the previous step is the certificate chain that is already providing you node02.myqtthub.com. You don’t have to download it but the certificate issuing that one:

    image
    image.png1517x765 97.7 KB

  4. That will get you to show the “CaId” (Certificate authority Id) used to sign the chain provided by node02.myqtthub.com. Now, click on the certificate id:

    image
    image.png955x396 56.3 KB

  5. That will show the current root certificate you have to feed to your SSL stack to complete the TLS trust chain:

    https://crt.sh/?id=9314791

    image
    image.png1534x732 135 KB

  6. Now, with the certificate located, download it by just replacing “id” by “d”:

    https://crt.sh/?d=9314791

That should allow you to identify and download the root certificate chain that is associated to certificate installed at any moment at node02.myqtthub.com.

Best Regards,