1. Home
  2. /
  3. Use cases
  4. /
  5. Set up your ESP32 board with secure updates

Set up your ESP32 board with secure updates

Get acquainted with our Espressif ESP32 and SignServer integration and learn more about how to enable secure OTA updates.

espressif logo

Enhanced Code Signing: Secure & Trustworthy ESP32 Build

The developer can only store the private part of the signature key locally with the out-of-the-box code signing solution provided by Espressif's tools. This means that it can be accessible, unprotected, and with limited evidence of authenticity. According to the Espressif manual, this method is only suitable for single-user development and refers to centralized tools for enterprise deployment, but there is no clear implementation roadmap.

The integration of Espressif ESP32 with our open-source PKI EJBCA and signature solution SignServer has enabled us to achieve a smooth and trustworthy build process. SignServer is a server-side signature solution that uses an HSM (Hardware Security Module) to protect code-signing keys and integrates with the EJBCA PKI to issue trusted code-signing certificates. For testing purposes, we provide SoftHSM options.

How to get started

In this tutorial, you will learn how to:

  • Issue signing certificate using EJBCA

  • Create a signing token in SignServer

  • Configure ESP-IDF and enable Secure Boot

  • Generate the SignServer signature and attach it to the application image

  • Upload the image and verify the signature with ESP32

For the full set of instructions, view our tutorials on how to set up SignServer and create a code signing certificate using EJBCA.


Screenshot 2024-02-22 at 16.35.04


To take full advantage of this tutorial, you need to have a basic understanding of the Espressif platform and security concepts. It is assumed that you are familiar and experienced with the ESP32 microcontroller and the ESP-IDF development framework, its system architecture, and the software lifecycle process. You should also understand and be able to apply the basic security functions of the ESP32. 

Before you begin, you also need the following:




Check out the supplementary documentation that goes hand-in-hand with our tutorial video.

Docker Hub

Get your hands on the SignServer Docker container by downloading it now from Docker Hub.


You can ask your questions and learn from PKI and signing specialists in the SignServer forum on GitHub Discussions.

Related open-source projects