Topic: How handle to certificate expiray in device

I am using wolfSSL libaray for my PIC32MZ based project, I have HTTPS and MQTT working with Azure IOT hub. Currently the certificate expiry time is 1 year. Currently Added as static in code
Since Https using this certificate time for validation and complete the handshake procedure with server.
Question is when this certificate expired after one simply device failed to connect with server again and handshake failed due to this.
I am looking for standard way to handle this expiry time so device always be connected to server for long year.
Now , if there is such certificate have its longer expiry period lets say 20 years from the start date then this will become very straightforward to use it for long time.
but what if server provided certificate have only 1 year expiry time and every year it has to renewed with new one then how we can handle this in code using wolfSSL code.

please provide some support on this issue and will have more discussion on this.

Share

Re: How handle to certificate expiray in device

Hi Nilesh,

Great question.  Security wise, you are better off generating a new CA certificate with a lower expiration date like 1 year vs a longer expiration date like 20 years.
Around the 1 year mark when your certificate is about to expire, you will want to generate a new certificate for the server, we have some examples of how to do this with wolfSSL here: https://github.com/wolfSSL/wolfssl-exam … er/certgen
On the client side, you will need to load the newly generated CA certificate instead of the old one, since you are using a static buffer in code you'd need to update this buffer and rebuild your code.  If your device supports a filesystem, you could point wolfSSL to a file which you'd replace when the cert expires.

May I ask if you are using wolfSSL in a personal or commercial project?  Feel free to email us at support [AT] wolfssl [DOT] com if this information is sensitive.

Thanks,
Kareem

Share

Re: How handle to certificate expiray in device

Hi Kareem,
Thanks for the quick response.
I am using wolfSSL for commercial project.
Looking at your comment its looks i have to generate certs for server manually and then on client side would have to store in code as static but this requires manual intervention to do this.
I am looking for a automated process to do this meaning certs stored in device memory and its expiry date monitored by wolfSSL API call.
IS there any API that wolfSSL providing to monitor the date and time for certificate expiry?

Also when device placed at site, it will connected to server until certs expired. but once it expired or near the time of expired it should renew the certs at run time and again connect to server with new certificate.
I am not sure or i can say i still don't have the expertise on this, but i would expect if there is any way in wolfSSL library in which we can handle this gracefully that could be really help.

Share

Re: How handle to certificate expiray in device

Hi Nilesh,

I am happy to help.  So if I'm understanding right, you want to be able to update your certificate buffer without recompiling your application.  In this case we would recommend setting aside a section of flash for your certificate, and pointing your cert buffer to this address.  Then you can update your certificate by replacing this section rather than recompiling your entire application.

We don't support automatically generating certificates as described.  If you would like us to add support for this, we would need to set up a feature request, please contact us at support [AT] wolfssl [DOT] com to set this up.

Thanks,
Kareem

Share

Re: How handle to certificate expiray in device

Thanks kareem , Storing certs into flash can be better option , but i have one question is when i generate new CA certificate using wolfssl API's and also chain of trust of certs, so basically it will create 3 certs rootCA, intermediate , server certs, out of that which should get stored into device(client) and how server get know about certificate?
Can you explain how this process works out. i am trying to understand this process between client and server but still not completely understood.

Share