I have an ESP32 device that operates in two modes:
- Where it operates as an AP on the local network for configuration and deploys its own webserver.
- Where it operates on the local network and measures and communicates to an MQTT Broker.
Now I want to secure the connection on the device side by adding SSL CA in it. For mode 1, the device is the server and it needs to have a certificate as such. I read the Secure Socket Layer library and I see that the main point is to use “ssl.create_ssl_context” method. But to get it, I need to pass a reference to “cacert”, which in the example is obtained by calling the “__lookup” macro. This macro, as far as I see, gets the certificate from a CA authority and stores it on the device. Which is crystal clear, if I were to use a CA authority.
My question is: Should, and if yes - how, should I use __lookup if I were to use a locally generated OpenSSL certificate?
If that is not wise or possible to do, and I have to generate a certificate from the CA, I’d use LetsEncrypt. To get the certificate from them, should I use the “SSL_CACERT_DST_ROOT_CA_X3” or “SSL_CACERT_IDENTRUST_COMMERCIAL_ROOT_CA_1”, due to the reasons outlined here in section “Intermediate Certificates”:
I want to secure the local network communication between the Node (ESP32) and the Edge Server (Local Server), which communicate on the local network level only. The device is not reachable directly from the outside.
Thanks in advance!