How to update a root certificate

I have an ESP32 connected via https.
For this, I use the WifiClientSecure library.

It’s all working fine, but my webhosting provider changes every 3 months its root certificate.
So, the const char* test_root_ca= etc. (at line 20) must be updated every 3 months.

Does someone has an idea how to handle this, some kind of automated process?
The problem is, when the certificate has changed, I cannot longer remotely connect to the ESP32 (to update the certificate).

It's a simple string and you can change it during runtime. So you can store it anywhere you like or your setup allows. Depending on the exact hardware you're using you might store it in the flash, the RTC SRAM or a connected SD card reader.

The problem is, when the certificate has changed, I cannot longer remotely connect to the ESP32 (to update the certificate).

I don't see why you cannot connect to the ESP32, as the root certificate is used for making a request from the ESP32 to an HTTPS server. So the ESP32 cannot connect to the outside world (by HTTPS) but not the other way around.

BTW: Are you sure your hoster replaces the root certificate and not some intermediate certificate?

The string is on SDcard, so thats not an issue.

pylon:
I don’t see why you cannot connect to the ESP32, as the root certificate is used for making a request from the ESP32 to an HTTPS server. So the ESP32 cannot connect to the outside world (by HTTPS) but not the other way around.

Good point. I had an ESP who didn’t respond anymore, so I did not look any further to see if there might be a one way direction left. I’ll try that!

pylon:
BTW: Are you sure your hoster replaces the root certificate and not some intermediate certificate?

That’s what my ISP told me, and the certificate has changed indeed.

Root certificates rarely expire but intermediate and server certificates frequently expire. Connect to your https server using Firefox then use Firefox to examine the certificate chain paying particular attention to the expiration date of each certificate.

gdsports:
Root certificates rarely expire but intermediate and server certificates frequently expire. Connect to your https server using Firefox then use Firefox to examine the certificate chain paying particular attention to the expiration date of each certificate.

Some more details on exactly how to do that would be useful.

See my notes on getting a root certificate into a const char array.

To see the root certificate expiration date, follow the above instructions to get to the Certificate Viewer | Details window. The top window pane, Certificate Hierarchy, shows the certificate chain with the root certificate at the top and the server certificate at the bottom. Click on the root certificate so it is highlighted.

The middle pane, Certificate Fields, shows the root certificate fields. Click on the field named "Not After" so it is highlighted.

The bottom pane, Field Value, shows the expiration date.

The following screenshot for https://www.google.com shows the root certificate expiration date is May 21, 2022. In contrast, the intermediate and server certificates have expiration dates in 2018.

:o this is confusing..

My website:
When I click the green padlock, the first screen 'certificate' shows an expiration date in july 2018.
When I click tab path (I use Chrome), the root has een expiration date in september 2021.
Below that, the certificate has an expiration date in march 2021.

Now I see I can export all 3 of them.
I did export the first one (7-2018), so appearently not the root (though https did work?)

To make things clear: I should export the root (top, 9-2021) certificate, right?

Yes, export the root certificate.

Thanks, this 'll make things a lot easier!