mirror of
				https://github.com/espressif/esp-idf.git
				synced 2025-10-26 03:37:51 +00:00 
			
		
		
		
	mbedtls: move locally managed root certificates to separate file
Purpose: This will allow for easily automating periodic updates to "cacrt_all.pem" file. Note: For now newly created "cacrt_local.pem" contains single "DST Root CA X3" which we are keeping to manage compatibility with endpoints like "howsmyssl.com". Please note this Root CA is expired and is not part of Mozilla’s NSS root certificate store.
This commit is contained in:
		 Mahavir Jain
					Mahavir Jain
				
			
				
					committed by
					
						 Harshit Malpani
						Harshit Malpani
					
				
			
			
				
	
			
			
			 Harshit Malpani
						Harshit Malpani
					
				
			
						parent
						
							bc7cb7c947
						
					
				
				
					commit
					a6fd8b0972
				
			| @@ -15,9 +15,9 @@ if(CONFIG_MBEDTLS_CERTIFICATE_BUNDLE) | ||||
|     set(GENERATE_CERT_BUNDLEPY ${python} ${COMPONENT_DIR}/esp_crt_bundle/gen_crt_bundle.py) | ||||
|  | ||||
|     if(CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_FULL) | ||||
|         list(APPEND crt_paths ${DEFAULT_CRT_DIR}/cacrt_all.pem) | ||||
|         list(APPEND crt_paths ${DEFAULT_CRT_DIR}/cacrt_all.pem ${DEFAULT_CRT_DIR}/cacrt_local.pem) | ||||
|     elseif(CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_CMN) | ||||
|         list(APPEND crt_paths ${DEFAULT_CRT_DIR}/cacrt_all.pem) | ||||
|         list(APPEND crt_paths ${DEFAULT_CRT_DIR}/cacrt_all.pem ${DEFAULT_CRT_DIR}/cacrt_local.pem) | ||||
|         list(APPEND args --filter ${DEFAULT_CRT_DIR}/cmn_crt_authorities.csv) | ||||
|     endif() | ||||
|  | ||||
|   | ||||
							
								
								
									
										33
									
								
								components/mbedtls/esp_crt_bundle/cacrt_local.pem
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										33
									
								
								components/mbedtls/esp_crt_bundle/cacrt_local.pem
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,33 @@ | ||||
| ## | ||||
| ## Local CA Root Certificates | ||||
| ## | ||||
| ## Local CA Root Certificates that gets appended to "cacrt_all.pem" | ||||
|  | ||||
|  | ||||
| ## letsencrypt has generated a cross signed certificate with DST ROOT CA X3 | ||||
| ## for compatibility after the expiry of the certificate. | ||||
| ## The new certificate has the ISSUER name as DST Root CA X3. | ||||
| ## Thus, the handshake fails if esp_crt_bundle does not find the | ||||
| ## respective name in the crt_bundle. | ||||
| ## Keeping this certificate for compatibility reasons. | ||||
| ## This will be removed once the cross-signed certificate expires in Sep 2024. | ||||
|  | ||||
| DST Root CA X3 | ||||
| ============== | ||||
| -----BEGIN CERTIFICATE----- | ||||
| MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/MSQwIgYDVQQK | ||||
| ExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMTDkRTVCBSb290IENBIFgzMB4X | ||||
| DTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVowPzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1 | ||||
| cmUgVHJ1c3QgQ28uMRcwFQYDVQQDEw5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQAD | ||||
| ggEPADCCAQoCggEBAN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmT | ||||
| rE4Orz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEqOLl5CjH9 | ||||
| UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9bxiqKqy69cK3FCxolkHRy | ||||
| xXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40d | ||||
| utolucbY38EVAjqr2m7xPi71XAicPNaDaeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0T | ||||
| AQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQ | ||||
| MA0GCSqGSIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69ikug | ||||
| dB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXrAvHRAosZy5Q6XkjE | ||||
| GB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZzR8srzJmwN0jP41ZL9c8PDHIyh8bw | ||||
| RLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubS | ||||
| fZGL+T0yjWW06XyxV3bqxbYoOb8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ | ||||
| -----END CERTIFICATE----- | ||||
		Reference in New Issue
	
	Block a user