How to locate Root Certificate to complete Chain Trust for TLS connection on 8883 ESP32 Chip


#1

Hi there,
i playing with mqtt and ESP32 CHIP. I would like to connect in most secure way so i thought maybe try with TLS connection at the beginning and later i could also encrypt data which is sent to broker.
I successfully managed to connect with mosquitto on linux using /etc/ssl/certs path to CA certificates.

I would like now to copy the certificate i need into flash memory that my app written in C can use it while it connects to broker on port 8883. How can i guess which one CA is the right one i need from /etc/ssl/certs ?

Many thanks in advance, Marcin


#2

Hello Marcin,

There are several methods you can use to know what’s the root certificate you have to feed into your ssl engine:

  1. Maybe the easier is to use crt.sh to list current certificate installed:

    https://crt.sh/?q=node02.myqtthub.com

  2. Inside there, you can click on the issuer supporting latest certificate:

  3. What you see at the previous step is the certificate chain that is already providing you node02.myqtthub.com. You don’t have to download it but the certificate issuing that one:

  4. That will get you to show the “CaId” (Certificate authority Id) used to sign the chain provided by node02.myqtthub.com. Now, click on the certificate id:

  5. That will show the current root certificate you have to feed to your SSL stack to complete the TLS trust chain:

    https://crt.sh/?id=9314791

  6. Now, with the certificate located, download it by just replacing “id” by “d”:

    https://crt.sh/?d=9314791

That should allow you to identify and download the root certificate chain that is associated to certificate installed at any moment at node02.myqtthub.com.

Best Regards,