Comments/Suggestion welcome on the proposed security setup for uploading test data to a website.
We are designing some lab equipment and need to upload data to a website.
The design is using an ESP32 low power micro with built in WiFi and an SD card, internal to the lab equipment.
To connect using https to the website, we need to store a ‘root’ cert (CA) in the device.
It will be an annoyance to the customers if they have to update the CA on a regular basis so we want a
long dated CA to use to sign the website cert.
The website will only be accessed to upload data from the devices. It does not need to be accessed by
normal web browsers.
LetsEncrypt X1 cert, which is valid to 2035, has been suggested.
So the proposed system is to request a website cert signed by LetsEncrypt X1 and then install the X1
CA in the device.
As an alternative, we could use the process described here
to create our own CA cert and then use that to sign the website cert and store our own CA in the
Since the ESP32 does not have any idea about the actual date, we assume it won’t care about either the CA or the website certicate expiring (but we need to check that).
Using this process, the only time we would need customers to update the stored CA would be if the CA keys were compromised.
Comments suggestions on the security of the system welcome.