fix(examples): Example CA certs must contain the Key Usage parameter

- Example CA certificates that are used for self-signed client certificates need to include the Key Usage parameter. - Python3.13 changed the default context of the SSL context that is generated using ssl.create_default_context() by enabling the VERIFY_X509_STRICT flag by default
2025-12-07 17:08:49 +00:00 · 2025-04-02 13:07:02 +05:30
parent fcbe493070
commit 9221c4eecd
10 changed files with 91 additions and 83 deletions
--- a/examples/protocols/esp_local_ctrl/README.md
+++ b/examples/protocols/esp_local_ctrl/README.md
@@ -13,7 +13,7 @@ Note, that this example in not supported for IPv6-only configuration.

 ## Client Side Implementation

-A python test script `scripts/esp_local_ctrl.py` has been provided for as a client side application for controlling the device over the same Wi-Fi network. The script relies on a pre-generated `main/certs/rootCA.pem` to verify the server certificate. The server side private key and certificate can also be found under `main/certs`, namely `prvtkey.pem` and `cacert.pem`.
+A python test script `scripts/esp_local_ctrl.py` has been provided for as a client side application for controlling the device over the same Wi-Fi network. The script relies on a pre-generated `main/certs/rootCA.pem` to verify the server certificate. The server side private key and certificate can also be found under `main/certs`, namely `prvtkey.pem` and `servercert.pem`.

 After configuring the Wi-Fi, flashing and booting the device, run the following command to test the device name
 resolution through mDNS:
@@ -91,7 +91,7 @@ You can generate a new server certificate using the OpenSSL command line tool.
 For the purpose of this example, lets generate a rootCA, which we will use to sign the server certificates and which the client will use to verify the server certificate during SSL handshake. You will need to set a password for encrypting the generated `rootkey.pem`.

 ```
-openssl req -new -x509 -subj "/CN=root" -days 3650 -sha256 -out rootCA.pem -keyout rootkey.pem
+openssl req -new -x509 -subj "/CN=root" -days 3650 -sha256 -out rootCA.pem -keyout rootkey.pem -addext "keyUsage=critical,digitalSignature,keyCertSign"
 ```

 Now generate a certificate signing request for the server, along with its private key `prvtkey.pem`.
@@ -100,13 +100,13 @@ Now generate a certificate signing request for the server, along with its privat
 openssl req -newkey rsa:2048 -nodes -keyout prvtkey.pem -days 3650 -out server.csr -subj "/CN=my_esp_ctrl_device.local"
 ```

-Now use the previously generated rootCA to process the server's certificate signing request, and generate a signed certificate `cacert.pem`. The password set for encrypting `rootkey.pem` earlier, has to be entered during this step.
+Now use the previously generated rootCA to process the server's certificate signing request, and generate a signed certificate `servercert.pem`. The password set for encrypting `rootkey.pem` earlier, has to be entered during this step.

 ```
-openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootkey.pem -CAcreateserial -out cacert.pem -days 500 -sha256
+openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootkey.pem -CAcreateserial -out servercert.pem -days 500 -sha256
 ```

-Now that we have `rootCA.pem`, `cacert.pem` and `prvtkey.pem`, copy these into main/certs. Note that only the server related files (`cacert.pem` and `prvtkey.pem`) are embedded into the firmware.
+Now that we have `rootCA.pem`, `servercert.pem` and `prvtkey.pem`, copy these into main/certs. Note that only the server related files (`servercert.pem` and `prvtkey.pem`) are embedded into the firmware.

 Expiry time and metadata fields can be adjusted in the invocation.

--- a/examples/protocols/esp_local_ctrl/main/certs/rootCA.pem
+++ b/examples/protocols/esp_local_ctrl/main/certs/rootCA.pem
@@ -1,16 +1,19 @@
 -----BEGIN CERTIFICATE-----
-MIICmjCCAYICCQCOEQkjYe2QMTANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARy
-b290MB4XDTIwMTExMDExMjgyOVoXDTMwMTExMDExMjgyOVowDzENMAsGA1UEAwwE
-cm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOqS7H7+XeFNcf5m
-qlH04t0ru56MCDYv9JV3byILgUnk1j+ld74m2q4T+Xxiw5ruMXh41W2xryMLF3+3
-jql8b7isJFwCXud4/WLr4KzCEKgqvr6Nez9Hb9rIBbQsGWtDTjfe06F/D9Zioyt3
-RnoT+5ItpX0+9IJn3TmAx7g1wU2dlXeaTp48RWPtJBqxp80Lq4SR3CdxI9+eVHv9
-sRA3sI9ggqFWzDNJDiTLZoJU1Z+n/MnHTUBt7WRZcMToMsHbj2Gtd4LruB3J46qO
-bjoL4im9oUrfXJZh87nW9KQ/+gOVv8t0zU70A/JMrazb/YnE6xO7+40JfrGNuFMm
-ZyylUyECAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAvCJMjXDNO/zUv7SBlr8hlHse
-KprCDEp91DlXsewpTB3h6s1gyZzDCygPtz80qRD6zy+T4r1veaYQeLecsIyfYNV1
-qnhNPpHnxjuXrrVwpEYOk/aP0yVlv0PiHsjyxzblLQPomX4m43Ec8/wW0Nlw0Aau
-K0sD5+Mv/3NNQIneGFsLF4JPRkJwLjSbjPdKLpjWdLsTKQwVg0FIslzI9RmBIQIq
-Nz2RWNHSqfGzsRpne9deqx9/9M4N8URUcmo0j7Ly7mYuxTkF7sft6sxbWDYQx1S1
-4GjAEFWe4352O0sFl0PWr+o8rd245yAu5SEahRFvjvnSNg8VlYcnezBmsp2rbQ==
+MIIDDzCCAfegAwIBAgIUdplZAINp6jYpsMaG467s9Km4eHswDQYJKoZIhvcNAQEL
+BQAwDzENMAsGA1UEAwwEcm9vdDAeFw0yNTA0MDIwNzM1MTdaFw0zNTAzMzEwNzM1
+MTdaMA8xDTALBgNVBAMMBHJvb3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQCavBVGCVrDZHhLqx19GrYKH+MocUYItc6uD00gK8O9MthZMRoUkKCjiJfb
+8J3U9ufYdGHY/dZtXt9Ua+dadvdFh0u6PfGOZhbvMBAZNyWDyEVeV/CMYM946UXh
+FNFxjP6tt5Z0HtitApe94k5kSGXvjpnwacQVLn88tIUtdQPpm2RfH3DOoTMjViQh
+7a3ItPuwXJOXBFWeCZXmEPPjZO5xBOHjZLqWxyfolHm/XfWOqBXExb1SmTEk1EBo
+z/wA0ORJYwewn2fgZP5o0Ou88SXcji7Rjn3CoWFottS2rxsz747jjtXJoieFA3fk
+Qztu4QdPKsUIqevh/S+jtDi3JlozAgMBAAGjYzBhMB0GA1UdDgQWBBRy39hjtY/p
+Dorc1bZdeISNsne+9jAfBgNVHSMEGDAWgBRy39hjtY/pDorc1bZdeISNsne+9jAP
+BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIChDANBgkqhkiG9w0BAQsFAAOC
+AQEAa3EFXSXZ/wm1FGmvliXonhZsK88B11dscs5kxPPszbseHStg75n5ZfAHui7K
+vZHJG1Pg3Rtaq7hDO+VeTGgSFq8kxQxS8wQRNRf7HI602jTmNeyccCW6XM4u3+bN
+qbPFcTgJraceLSUCdYGE4ZPYK/8y5tfVafRbV08UBZ2bgqS9FmKQTPhohF6RBZ2s
+m8rIKhtRca6LbX+3txpExnYzbOMtaC1TA58MspGujuV36xTGsrbS/cR9QU1CVyBL
+e1p6W50YLtb82br/wou6WNY5QoTCQKV3eqq+Z76wOqdf6d9dMlIyl1Q0RZjOEysM
+9VwHi6ONS9sYTuk8C99L0ewQ/Q==
 -----END CERTIFICATE-----
--- a/examples/protocols/esp_local_ctrl/main/certs/servercert.pem
+++ b/examples/protocols/esp_local_ctrl/main/certs/servercert.pem
@@ -1,17 +1,19 @@
 -----BEGIN CERTIFICATE-----
-MIICrjCCAZYCCQDGnK9OU3UN2TANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARy
-b290MB4XDTIwMTExMDExMzExNVoXDTMwMTExMDExMzExNVowIzEhMB8GA1UEAwwY
-bXlfZXNwX2N0cmxfZGV2aWNlLmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
-MIIBCgKCAQEA2NgeOgHTX6yURoB8u3BAphDMTlp/Ar8oAtoO+xqIPw1sZKmhJLAS
-bfKkHKhi7pr/h31xOHqzTxlPkUzWpfszFx5YiDFYtiIlcObrgk83u3CtvBw7wuZ6
-BA/01hkiSGgkAFD/xnRNLKgidTu1tCIa2QY7Jnp+HdJz6yJws1/WAzn2lsXcJwSd
-6tPu2U0lhE2w6ylCdLYD3upveo/80WArQqNg6bv6Wbz8iL18E87enpwfHMA7ZN+S
-sDq7HACRjapAkcimjbzkrh7/f9Nr6c8KpPyeiWyHFxVTbmEj4NMG9IpbTKp9CMAt
-ysmiPYAYNFXsTHjoRVf4EbfHbxGHobUwewIDAQABMA0GCSqGSIb3DQEBCwUAA4IB
-AQBWg9Xh1MG4d4gGGx920OJBm+qQ9XY9oV2Aap81ZYshgBlnUKoKLhYolp/CHXyr
-IXy7YA01ASX2wzohguqakdo0ghYkhwuRoly+0+uzphmqyMqXnTUDCgEcZF4l90xl
-jRdMenqEgfOXDNk2VAK/rmAZ2jZsaGpBI4NRbEdwH1MVd61g2NVBk0nEI73cW6Ki
-BPxMw2aGFizTwcPT9gwbQgLdLZeEuvcPrdzK5swqccZ+MBHMcwW/qvcmwqJGeLL2
-zmx7o2ODQyElIKLKUDWAFIYrb7DXR4oajjhUa0+SOj9Ydj/5+eZ+Wx7NJoG+oH7N
-DB0jK2qB8eexplQj1KLWS2Un
+MIIDAjCCAeqgAwIBAgIUTYhcWJl9maLjHahTSmFZ/vxNraUwDQYJKoZIhvcNAQEL
+BQAwDzENMAsGA1UEAwwEcm9vdDAeFw0yNTA0MDIwNzM1NDdaFw0yNjA4MTUwNzM1
+NDdaMCMxITAfBgNVBAMMGG15X2VzcF9jdHJsX2RldmljZS5sb2NhbDCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBANjYHjoB01+slEaAfLtwQKYQzE5afwK/
+KALaDvsaiD8NbGSpoSSwEm3ypByoYu6a/4d9cTh6s08ZT5FM1qX7MxceWIgxWLYi
+JXDm64JPN7twrbwcO8LmegQP9NYZIkhoJABQ/8Z0TSyoInU7tbQiGtkGOyZ6fh3S
+c+sicLNf1gM59pbF3CcEnerT7tlNJYRNsOspQnS2A97qb3qP/NFgK0KjYOm7+lm8
+/Ii9fBPO3p6cHxzAO2TfkrA6uxwAkY2qQJHIpo285K4e/3/Ta+nPCqT8nolshxcV
+U25hI+DTBvSKW0yqfQjALcrJoj2AGDRV7Ex46EVX+BG3x28Rh6G1MHsCAwEAAaNC
+MEAwHQYDVR0OBBYEFIWrRCcd0EsQ14unaT9rQ8fxfXlDMB8GA1UdIwQYMBaAFHLf
+2GO1j+kOitzVtl14hI2yd772MA0GCSqGSIb3DQEBCwUAA4IBAQBxGemDnMNibZag
+C9zrz42c7Ag8MqjojoPqTghGfGN8NGmEylYossCpd/fVP2QriH9TB1cQhtV5AEgS
+xipJr6ktjnxZjLcwfjxSrtHbwCGuXLtPNIqOEMPWvCxTWEnWkzNy6Mn9qSAwms6g
+dQ7V2YU3nb7FTco9jt2V3JOXM/Yr1CbUHv27yycTpZSxSQAyp3U2xqC3snEbvlL4
+Awp0j7tT5pR/JcfT0Fl0fgfoeRkdkJK1NWldzFs3G+A4DLKgFwyQHfT9Hlh5IU7a
+4EtiavtsyNXtQPJLZajbdag06taQnQ6p6aqoiQnwcSHDjWtuCueSDVGN2rv1kWbt
+pYByeDAW
 -----END CERTIFICATE-----