- Newest
- Most votes
- Most comments
Hi Frank. (Presuming that you're not using the "custom code signing" feature of the FreeRTOS OTA update), you need to create the certificate using a tool like OpenSSL, and then import it into ACM. You previously mentioned you have an ESP32 device, so here's a good guide: https://docs.aws.amazon.com/freertos/latest/userguide/ota-code-sign-cert-esp.html
If you create the OTA update from the console, it will ask for a code signing profile. You can create one from the certificate, like this:
aws signer put-signing-profile --profile-name my-profile --signing-material certificateArn=arn:aws:acm:<region>:<accountId>:certificate/<id> --platform AmazonFreeRTOS-Default --signing-parameters certname="foobar",certificatePathOnDevice="foobar"
More info here: https://docs.aws.amazon.com/freertos/latest/userguide/ota-updates-esp32-ble.html#ota-updates-esp32-ble-step2
The code signing certificate also needs to be present on the device. Please take care to consider the expiry date of the certificate. In some of our reference implementations, the device doesn't check/validate the certificate expiry, but rather, only uses the public key to validate the signature. If your device validates the expiry date, you'll also need the ability to update the code signing certificate.
Thanks, I believe that I was able to create the certificate and sign the file. I also created the ota update job, however, the job failed with an error that isn't documented: 0x000000e3: 0x00000000. Do you know what this means?
I'm worried when you say "The code signing certificate also needs to be present on the device". How could it be, if I just created it? These devices are already built and in the distribution channel. Does this mean there is already some certificate in the device and that's the one I need to find and use?
You mentioned on another question that the device firmware is based on the amazon-freertos repo. If so, the code signing certificate is baked in here: https://github.com/aws/amazon-freertos/blob/main/vendors/espressif/boards/ports/ota_pal_for_aws/ota_pal.c#L81
If the signing certificate in the firmware hasn't expired, then yes, you can import it into ACM and create OTA updates with it. Until it expires.
When the signing certificate in the firmware expires, you won't be able to use it in the cloud with an OTA job. I don't think the firmware is checking the certificate expiry. If that's the case, you may not need to update the signing certificate in the firmware even when it does expire. However, you would need the original private key to be able to create a new certificate (with the same public key), for the cloud to use.
Relevant content
- asked 2 months ago
- Accepted Answerasked 22 days ago
AWS OFFICIALUpdated 3 years ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 4 months ago
I realized that the firmware on the device I'm working with isn't even signed. For testing purposes I obtained a number of esp32 dev boards which don't support signed firmware, so I use unsigned versions of the firmware on them. This might be why I can't deploy the OTA update.
Looking at the build script that the other developer left, there is a line in it that is supposed to generate a new certificate if one doesn't exist, and I didn't find any existing one. This suggests that whatever certificate they used, I don't have. Is this the one I need?