adafruit-mirror/certificates
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Update README.md

Browse source
This commit is contained in:
Dan Halbert 2025-07-23 11:32:01 -04:00
parent c5f8961b94
commit 37f924db9a
1 changed files with 17 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
README.md
View file

@ -9,7 +9,7 @@ Those lists are quite complete, and too large for some embedded firmware.
This repo includes a tool to combine local or fetched root certificate lists and filter them
to the most commonly needed roots.
There is also a testing tool.
There is also a testing tool, and a `.pem` file canonicalization tool.
Projects can then use this repo as a submodule to have access to an updated list of root
certificates.
@ -17,11 +17,20 @@ Currently the certificates are filtered from the [`curl` root
list](https://curl.se/docs/caextract.html), which is based on the
Mozilla root list, and from a local file.
- `tools/extra.pem` is a list of certificates needed but not present in the Mozilla root list.
- `tools/filter_certs.py` does the filtering to the most common root cert providers.
- `tools/filters.txt` contains regexps to match those providers or the cert names
- `tools/test_site_coverage.py` tests a given `roots.pem` against a long list of URL's.
- `tools/urls.txt` is that list of URLs. Add to it as necessary. Some are commented out, for reasons noted.
To generate the root certificate bundles, manually use the tools in `tools/`:
- `extra.pem` is a list of certificates needed but not present in the Mozilla root list.
- `generate_pem_files.py` generates a full and a filtered list from the Mozilla root list.
- `include.txt` contains regexps to filter the full list.
- `exclude.txt` contains regexps to exclude specific items from the filtered list.
- `test_site_coverage.py` tests a given `roots.pem` against a long list of URL's.
- `urls.txt` is that list of URLs. Add to it as necessary. Some are commented out, for reasons noted.
- `sort_pem_certificates.py` will canonicalize a `.pem` file by labeling and sorting the certificates,
and optionally changing the certificates' base64 line lengths.
The resulting filtered root certificate bundle is in `data/`.
- `data/roots.pem` contains the filtered list, with comments describing each certificate.
The resulting filtered root certificate bundles are in `data/`:
- `data/roots-full.pem` contains the full Mozilla list, plus certificates in `tools/extra.pem`
- `data/roots-filtered.pem` contains the filtered list, with comments describing each certificate.
An alternative for Espressif to using this repo is to use the
full and "common" (`CMN`) lists generated by ESP-IDF, in
[`components/mbedtls/esp_crt_bundle/`](https://github.com/espressif/esp-idf/tree/master/components/mbedtls/esp_crt_bundle). Use `CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_FULL`, `CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_CMN`, etc.