I'm deploying a mass amount of ESP32 devices that will communicate with our own deployed server through HTTPS for data and updates. It will also communicate with our broker through mqtts.
I would like to know what are the best practices for storing the certificates in the ESP32 and have a few questions.
- How does the ESP32 verify the cert? I read that you can use either the root, intermediate, or server cert in the ESP32 and it will work.
- As the server will only be accessed by the devices, is it ok to have a self-sign cert on the server so that the cert never expires? What are the security risks?
- If were to purchase a cert from a CA, to get the maximum expiry on the cert, I would use the root CA cert, right? So wouldn't that make the cert expiry not in my control?
Forgive me for my lack of knowledge in the workings of how the chain of trust and certs work. Any help or guidance will be much appreciated. Thank you.