You should only use setInsecure
during the early dev phase when you are trying to get something to work -- or if you are donating your time to help someone else do the same. Once you've got it working, to be secure, you should not use it.
The CA in setCACert
stands for Certificate Authority. You don't set the cert for the individual website -- there are millions of those. You need the "root" cert, signed by one of over 100 CAs out there.
For example, Google acts as its own CA (Google Trust Services). *.web.telegram.org
uses Go Daddy. Some boards/clients are setup to store maybe a dozen CAs, which would enable you to verify thousands of different hosts. But WiFiClientSecure
is simple: just one.
To get the cert, which is public, you can use the browser. Each one has some UI, usually by clicking the lock icon just before the URL, and clicking through whatever "more info" to drill down and see the whole certificate chain. The last one is the root, and there should be a way to download it. You want the PEM format, of just that one certificate. (Not the chain, although if you download the chain, you can pull out the root -- just more work.)
I happen to have Amazon's handy -- won't work in this case -- but if you use raw strings, it's an easy copy&paste.
const char AMAZON_ROOT_CERT[] = R"(
-----BEGIN CERTIFICATE-----
MIIDQTCCAimgAwIBAgITBmyfz5m/jAo54vB4ikPmljZbyjANBgkqhkiG9w0BAQsF
ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6
b24gUm9vdCBDQSAxMB4XDTE1MDUyNjAwMDAwMFoXDTM4MDExNzAwMDAwMFowOTEL
MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJv
b3QgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJ4gHHKeNXj
ca9HgFB0fW7Y14h29Jlo91ghYPl0hAEvrAIthtOgQ3pOsqTQNroBvo3bSMgHFzZM
9O6II8c+6zf1tRn4SWiw3te5djgdYZ6k/oI2peVKVuRF4fn9tBb6dNqcmzU5L/qw
IFAGbHrQgLKm+a/sRxmPUDgH3KKHOVj4utWp+UhnMJbulHheb4mjUcAwhmahRWa6
VOujw5H5SNz/0egwLX0tdHA114gk957EWW67c4cX8jJGKLhD+rcdqsq08p8kDi1L
93FcXmn/6pUCyziKrlA4b9v7LWIbxcceVOF34GfID5yHI9Y/QCB/IIDEgEw+OyQm
jgSubJrIqg0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0OBBYEFIQYzIU07LwMlJQuCFmcx7IQTgoIMA0GCSqGSIb3DQEBCwUA
A4IBAQCY8jdaQZChGsV2USggNiMOruYou6r4lK5IpDB/G/wkjUu0yKGX9rbxenDI
U5PMCCjjmCXPI6T53iHTfIUJrU6adTrCC2qJeHZERxhlbI1Bjjt/msv0tadQ1wUs
N+gDS63pYaACbvXy8MWy7Vu33PqUXHeeE6V/Uq2V8viTO96LXFvKWlJbYK8U90vv
o/ufQJVtMVT8QtPHRh8jrdkPSHCa2XV4cdFyQzR1bldZwgJcJmApzyMZFo6IQ6XU
5MsI+yMRQ+hDKXJioaldXgjUkK642M4UwtBV8ob2xJNDd2ZhwLnoQdeXeGADbkpy
rqXRfboQnoZsG4q5WTP468SQvvG5
-----END CERTIFICATE-----
)";
client.setCACert(AMAZON_ROOT_CERT); // If contacting AWS or someone using Amazon-signed certs
You want the one from "Go Daddy Root Certificate Authority" instead.
(BTW, you can get your own certificate, so that the server can verify that a request is coming from you -- mutual authentication, so you can verify each other. This is a more advanced use case, and a whole 'nother topic.)