Get acquainted with our Espressif ESP32 and SignServer integration and learn more about how to enable secure OTA updates.
The developer can only store the private part of the signature key locally with the out-of-the-box code signing solution provided by Espressif's tools. This means that it can be accessible, unprotected, and with limited evidence of authenticity. According to the Espressif manual, this method is only suitable for single-user development and refers to centralized tools for enterprise deployment, but there is no clear implementation roadmap.
The integration of Espressif ESP32 with our open-source PKI EJBCA and signature solution SignServer has enabled us to achieve a smooth and trustworthy build process. SignServer is a server-side signature solution that uses an HSM (Hardware Security Module) to protect code-signing keys and integrates with the EJBCA PKI to issue trusted code-signing certificates. For testing purposes, we provide SoftHSM options.
In this tutorial, you will learn how to:
Issue signing certificate using EJBCA
Create a signing token in SignServer
Configure ESP-IDF and enable Secure Boot
Generate the SignServer signature and attach it to the application image
Upload the image and verify the signature with ESP32
For the full set of instructions, view our tutorials on how to set up SignServer and create a code signing certificate using EJBCA.
To take full advantage of this tutorial, you need to have a basic understanding of the Espressif platform and security concepts. It is assumed that you are familiar and experienced with the ESP32 microcontroller and the ESP-IDF development framework, its system architecture, and the software lifecycle process. You should also understand and be able to apply the basic security functions of the ESP32.
Before you begin, you also need the following:
Check out the supplementary documentation that goes hand-in-hand with our tutorial video.
Get your hands on the SignServer Docker container by downloading it now from Docker Hub.
You can ask your questions and learn from PKI and signing specialists in the SignServer forum on GitHub Discussions.