esp-idf/docs/en/api-reference/protocols/esp_crt_bundle.rst

ESP x509 Certificate Bundle
===========================

Overview
--------

The ESP x509 Certificate Bundle API provides an easy way to include a bundle of custom x509 root certificates for TLS server verification.

.. note::

    The bundle is currently not available when using WolfSSL.

The bundle comes with the complete list of root certificates from Mozilla's NSS root certificate store. Using the gen_crt_bundle.py python utility the certificates' subject name and public key are stored in a file and embedded in the {IDF_TARGET_NAME} binary.

When generating the bundle you may choose between:

 * The full root certificate bundle from Mozilla, containing more than 130 certificates. The current bundle was updated Tue Jan 10 04:12:06 2023 GMT.
 * A pre-selected filter list of the name of the most commonly used root certificates, reducing the amount of certificates to around 41 while still having around 90% absolute usage coverage and 99% market share coverage according to SSL certificate authorities statistics.

In addition, it is possible to specify a path to a certificate file or a directory containing certificates which then will be added to the generated bundle.

.. note::

    Trusting all root certificates means the list will have to be updated if any of the certificates are retracted. This includes removing them from ``cacrt_all.pem``.

Configuration
-------------

Most configuration is done through menuconfig. CMake will generate the bundle according to the configuration and embed it.

 * :ref:`CONFIG_MBEDTLS_CERTIFICATE_BUNDLE`: automatically build and attach the bundle.
 * :ref:`CONFIG_MBEDTLS_DEFAULT_CERTIFICATE_BUNDLE`: decide which certificates to include from the complete root list.
 * :ref:`CONFIG_MBEDTLS_CUSTOM_CERTIFICATE_BUNDLE_PATH`: specify the path of any additional certificates to embed in the bundle.

To enable the bundle when using ESP-TLS simply pass the function pointer to the bundle attach function:

.. code-block:: c

    esp_tls_cfg_t cfg = {
         .crt_bundle_attach = esp_crt_bundle_attach,
    };

This is done to avoid embedding the certificate bundle unless activated by the user.

If using mbedTLS directly then the bundle may be activated by directly calling the attach function during the setup process:

.. code-block:: c

    mbedtls_ssl_config conf;
    mbedtls_ssl_config_init(&conf);

    esp_crt_bundle_attach(&conf);


.. _updating_bundle:

Generating the List of Root Certificates
----------------------------------------
The list of root certificates comes from Mozilla's NSS root certificate store, which can be found `here <https://wiki.mozilla.org/CA/Included_Certificates>`_

The list can be downloaded and created by running the script ``mk-ca-bundle.pl`` that is distributed as a part of `curl <https://github.com/curl/curl>`_.
Another alternative would be to download the finished list directly from the curl website: `CA certificates extracted from Mozilla <https://curl.se/docs/caextract.html>`_

The common certificates bundle were made by selecting the authorities with a market share of more than 1 % from w3tech's `SSL Survey <https://w3techs.com/technologies/overview/ssl_certificate>`_.

These authorities were then used to pick the names of the certificates for the filter list, `cmn_crt_authorities.csv`, from `this list <https://ccadb-public.secure.force.com/mozilla/IncludedCACertificateReportPEMCSV>`_ provided by Mozilla.


Updating the Certificate Bundle
-------------------------------

The bundle is embedded into the app and can be updated along with the app by an OTA update. If you want to include a more up-to-date bundle than the bundle currently included in ESP-IDF, then the certificate list can be downloaded from Mozilla as described in :ref:`updating_bundle`.


Application Example
-------------------

Simple HTTPS example that uses ESP-TLS to establish a secure socket connection using the certificate bundle with two custom certificates added for verification: :example:`protocols/https_x509_bundle`.

HTTPS example that uses ESP-TLS and the default bundle: :example:`protocols/https_request`.

HTTPS example that uses mbedTLS and the default bundle: :example:`protocols/https_mbedtls`.

API Reference
-------------

.. include-build-file:: inc/esp_crt_bundle.inc
Add ESP certificate bundle feature Adds the ESP certificate bundle feature that enables users to bundle a root certificate bundle together with their application. Default bundle includes all Mozilla root certificates Closes IDF-296 2019-09-29 06:04:34 -04:00			`ESP x509 Certificate Bundle`
			`===========================`

			`Overview`
			`--------`

			`The ESP x509 Certificate Bundle API provides an easy way to include a bundle of custom x509 root certificates for TLS server verification.`

docs: update format issues for EN and CN under api-reference/protocols and migration-guides 2023-07-31 04:13:41 -04:00			`.. note::`
Add ESP certificate bundle feature Adds the ESP certificate bundle feature that enables users to bundle a root certificate bundle together with their application. Default bundle includes all Mozilla root certificates Closes IDF-296 2019-09-29 06:04:34 -04:00
docs: update format issues for EN and CN under api-reference/protocols and migration-guides 2023-07-31 04:13:41 -04:00			`The bundle is currently not available when using WolfSSL.`

			`The bundle comes with the complete list of root certificates from Mozilla's NSS root certificate store. Using the gen_crt_bundle.py python utility the certificates' subject name and public key are stored in a file and embedded in the {IDF_TARGET_NAME} binary.`
Add ESP certificate bundle feature Adds the ESP certificate bundle feature that enables users to bundle a root certificate bundle together with their application. Default bundle includes all Mozilla root certificates Closes IDF-296 2019-09-29 06:04:34 -04:00
			`When generating the bundle you may choose between:`

Update esp_crt_bundle certificates 2023-01-10 21:00:31 -05:00			`* The full root certificate bundle from Mozilla, containing more than 130 certificates. The current bundle was updated Tue Jan 10 04:12:06 2023 GMT.`
Update common cert authorities csv 2023-03-11 22:00:24 -05:00			`* A pre-selected filter list of the name of the most commonly used root certificates, reducing the amount of certificates to around 41 while still having around 90% absolute usage coverage and 99% market share coverage according to SSL certificate authorities statistics.`
Add ESP certificate bundle feature Adds the ESP certificate bundle feature that enables users to bundle a root certificate bundle together with their application. Default bundle includes all Mozilla root certificates Closes IDF-296 2019-09-29 06:04:34 -04:00
docs: update format issues for EN and CN under api-reference/protocols and migration-guides 2023-07-31 04:13:41 -04:00			`In addition, it is possible to specify a path to a certificate file or a directory containing certificates which then will be added to the generated bundle.`

			`.. note::`
Add ESP certificate bundle feature Adds the ESP certificate bundle feature that enables users to bundle a root certificate bundle together with their application. Default bundle includes all Mozilla root certificates Closes IDF-296 2019-09-29 06:04:34 -04:00
docs: update format issues for EN and CN under api-reference/protocols and migration-guides 2023-07-31 04:13:41 -04:00			Trusting all root certificates means the list will have to be updated if any of the certificates are retracted. This includes removing them from ``cacrt_all.pem``.
Add ESP certificate bundle feature Adds the ESP certificate bundle feature that enables users to bundle a root certificate bundle together with their application. Default bundle includes all Mozilla root certificates Closes IDF-296 2019-09-29 06:04:34 -04:00
			`Configuration`
			`-------------`

Build & config: Remove the "make" build system The "make" build system was deprecated in v4.0 in favor of idf.py (cmake). The remaining support is removed in v5.0. 2021-11-04 10:28:07 -04:00			`Most configuration is done through menuconfig. CMake will generate the bundle according to the configuration and embed it.`
Add ESP certificate bundle feature Adds the ESP certificate bundle feature that enables users to bundle a root certificate bundle together with their application. Default bundle includes all Mozilla root certificates Closes IDF-296 2019-09-29 06:04:34 -04:00
			* :ref:`CONFIG_MBEDTLS_CERTIFICATE_BUNDLE`: automatically build and attach the bundle.
			* :ref:`CONFIG_MBEDTLS_DEFAULT_CERTIFICATE_BUNDLE`: decide which certificates to include from the complete root list.
			* :ref:`CONFIG_MBEDTLS_CUSTOM_CERTIFICATE_BUNDLE_PATH`: specify the path of any additional certificates to embed in the bundle.

			`To enable the bundle when using ESP-TLS simply pass the function pointer to the bundle attach function:`

docs: update format issues for EN and CN under api-reference/protocols and migration-guides 2023-07-31 04:13:41 -04:00			`.. code-block:: c`
Add ESP certificate bundle feature Adds the ESP certificate bundle feature that enables users to bundle a root certificate bundle together with their application. Default bundle includes all Mozilla root certificates Closes IDF-296 2019-09-29 06:04:34 -04:00
			`esp_tls_cfg_t cfg = {`
			`.crt_bundle_attach = esp_crt_bundle_attach,`
			`};`

			`This is done to avoid embedding the certificate bundle unless activated by the user.`

			`If using mbedTLS directly then the bundle may be activated by directly calling the attach function during the setup process:`

docs: update format issues for EN and CN under api-reference/protocols and migration-guides 2023-07-31 04:13:41 -04:00			`.. code-block:: c`
Add ESP certificate bundle feature Adds the ESP certificate bundle feature that enables users to bundle a root certificate bundle together with their application. Default bundle includes all Mozilla root certificates Closes IDF-296 2019-09-29 06:04:34 -04:00
			`mbedtls_ssl_config conf;`
			`mbedtls_ssl_config_init(&conf);`

			`esp_crt_bundle_attach(&conf);`


docs/esp_crt_bundle: fix section reference for updating cert bundle 2022-03-24 22:04:25 -04:00			`.. _updating_bundle:`

Add ESP certificate bundle feature Adds the ESP certificate bundle feature that enables users to bundle a root certificate bundle together with their application. Default bundle includes all Mozilla root certificates Closes IDF-296 2019-09-29 06:04:34 -04:00			`Generating the List of Root Certificates`
			`----------------------------------------`
			The list of root certificates comes from Mozilla's NSS root certificate store, which can be found `here <https://wiki.mozilla.org/CA/Included_Certificates>`_
docs: update format issues for EN and CN under api-reference/protocols and migration-guides 2023-07-31 04:13:41 -04:00
Add ESP certificate bundle feature Adds the ESP certificate bundle feature that enables users to bundle a root certificate bundle together with their application. Default bundle includes all Mozilla root certificates Closes IDF-296 2019-09-29 06:04:34 -04:00			The list can be downloaded and created by running the script ``mk-ca-bundle.pl`` that is distributed as a part of `curl <https://github.com/curl/curl>`_.
docs: update redirected links 2022-04-28 02:34:20 -04:00			Another alternative would be to download the finished list directly from the curl website: `CA certificates extracted from Mozilla <https://curl.se/docs/caextract.html>`_
Add ESP certificate bundle feature Adds the ESP certificate bundle feature that enables users to bundle a root certificate bundle together with their application. Default bundle includes all Mozilla root certificates Closes IDF-296 2019-09-29 06:04:34 -04:00
docs: update redirected links 2022-04-28 02:34:20 -04:00			The common certificates bundle were made by selecting the authorities with a market share of more than 1 % from w3tech's `SSL Survey <https://w3techs.com/technologies/overview/ssl_certificate>`_.
docs: update format issues for EN and CN under api-reference/protocols and migration-guides 2023-07-31 04:13:41 -04:00
Add ESP certificate bundle feature Adds the ESP certificate bundle feature that enables users to bundle a root certificate bundle together with their application. Default bundle includes all Mozilla root certificates Closes IDF-296 2019-09-29 06:04:34 -04:00			These authorities were then used to pick the names of the certificates for the filter list, `cmn_crt_authorities.csv`, from `this list <https://ccadb-public.secure.force.com/mozilla/IncludedCACertificateReportPEMCSV>`_ provided by Mozilla.

docs/esp_crt_bundle: fix section reference for updating cert bundle 2022-03-24 22:04:25 -04:00
Add ESP certificate bundle feature Adds the ESP certificate bundle feature that enables users to bundle a root certificate bundle together with their application. Default bundle includes all Mozilla root certificates Closes IDF-296 2019-09-29 06:04:34 -04:00
			`Updating the Certificate Bundle`
			`-------------------------------`

docs/esp_crt_bundle: fix section reference for updating cert bundle 2022-03-24 22:04:25 -04:00			The bundle is embedded into the app and can be updated along with the app by an OTA update. If you want to include a more up-to-date bundle than the bundle currently included in ESP-IDF, then the certificate list can be downloaded from Mozilla as described in :ref:`updating_bundle`.
Add ESP certificate bundle feature Adds the ESP certificate bundle feature that enables users to bundle a root certificate bundle together with their application. Default bundle includes all Mozilla root certificates Closes IDF-296 2019-09-29 06:04:34 -04:00


			`Application Example`
			`-------------------`

			Simple HTTPS example that uses ESP-TLS to establish a secure socket connection using the certificate bundle with two custom certificates added for verification: :example:`protocols/https_x509_bundle`.

			HTTPS example that uses ESP-TLS and the default bundle: :example:`protocols/https_request`.

			HTTPS example that uses mbedTLS and the default bundle: :example:`protocols/https_mbedtls`.

			`API Reference`
			`-------------`

			`.. include-build-file:: inc/esp_crt_bundle.inc`