How to install certificate on a microcontroller

How to get a cert on an embedded device which does not have ssh services and it is not hosted on a service like godaddy. The device the webserver is on is a esp32 in my local network. I have a domain which I can use to access when using port forwarding. I do have full control over the device but it does not meet the criteria mentioned for installing a certificate (ssh or hosted). Maybe my only option is a self signed certificate ?
Thanks for reading.

My domain is: (currently offline)

I ran this command: none

It produced this output: none

My web server is (include version): located on the esp32 device programmed in C

The operating system my web server runs on is (include version): FreeRtos

My hosting provider, if applicable, is: n/a

I can login to a root shell on my machine (yes or no, or I don't know): no login

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Does the webserver on the ESP32 even have TLS capabilities?


Yes it does.

1 Like

Perhaps you need to tell us more about your use case or what you're trying to do exactly.

Let's Encrypt certificates are short-lived certificates trusted by the general public. This is what you want for a public website, but you don't usually host these on a microcontroller. Instead, on a microcontroller it would be more common to have some sort of machine-to-machine traffic e.g. for C&C, signaling or similar purposes. In this case you don't need a public certificate: Pinning public keys or rolling your own CA is what is typically used here. This is perfectly fine and secure if you control the devices in question.

You can attempt to build a workflow that obtains a certificate outside the device and then push that onto the device's firmware. Since LE certificates are short lived you would have to repeat this process frequently, one of the reasons why this isn't usually done. You can also attempt to hack an ACME client into the device's firmware (there are C-based clients available), if hardware resources and software architecture allow this. It will likely be non trivial though and require some development.


My project goal is to mount an esp32 based camera that streams video or sends images that I can monitor from the public network. The board/camera will be able to be positioned using servo motors that can be controlled from a client web interface.

I am not a network guy but more of an EE guy so learning about networking, protocols, security has been making me weak.

Lots of info about the client side using esp32 and easily getting the certs from servers i wish to communicate with but not much info when the esp32 is public facing server. So it makes sense when you said it is not usually done this way.

So I am thinking either a self signed cert using https and some kind of authentication or using a cloud server to send images to and access the images from a browser. This has taken a while to try to figure what is the best way to do this.
Thanks for responding.


Why not use a reverse proxy. Caddy can handle all the tls stuff automatically


I don't know what caddy is but I will check it out. Thanks.

1 Like

I was thinking about that too. And if the ESP32 is off-premise with regard to the reverse proxy, just set up a self-signed certificate with a very long lifetime on the ESP32 which is trusted by the reverse proxy.

Caddy is just one of the many webservers out there with a reverse proxy feature. Others are e.g. the common webservers Apache and nginx. Another option would be HAProxy. All have their pros and cons of course.


Just wanted to let you guys know I did check out caddy and at first I was so confused as I do not know server configuration. But after spending a couple of days reading and trying things I did get Caddy to work first as a web server over https: and then as a reverse proxy which I could stream my video to my public ip. In both instances Caddy took care of the certificate stuff in the background. So thanks for the recommendation


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.