Files
espressif--esp-idf/examples/protocols/esp_http_client_mutual_auth/main/certs

Certificate Generation for Mutual TLS Example

All certificates are pre-generated with a 10-year lifetime. To regenerate, run the following OpenSSL commands from this directory (main/certs/).

Generate CA (signs both client and server certs)

openssl req -newkey rsa:2048 -nodes -keyout ca_key.pem -x509 -days 3650 \
  -out ca_cert.pem -subj "/CN=Mutual Auth Test CA"

Generate client certificate (embedded in firmware)

openssl genrsa -out client_key.pem 2048
openssl req -out client.csr -key client_key.pem -new -subj "/CN=esp_mutual_auth_client"
openssl x509 -req -days 3650 -in client.csr -CA ca_cert.pem -CAkey ca_key.pem \
  -sha256 -CAcreateserial -out client_cert.pem
rm client.csr ca_cert.srl

Generate server certificate (used by pytest mTLS server)

openssl genrsa -out server_key.pem 2048
openssl req -out server.csr -key server_key.pem -new -subj "/CN=esp_mutual_auth_server"
openssl x509 -req -days 3650 -in server.csr -CA ca_cert.pem -CAkey ca_key.pem \
  -sha256 -CAcreateserial -out server_cert.pem
rm server.csr ca_cert.srl

Files

File Purpose Embedded in firmware?
ca_cert.pem CA certificate (verifies server identity) Yes
ca_key.pem CA private key (signs certs; keep private) No
client_cert.pem Client certificate (sent to server) Yes (software mode)
client_key.pem Client private key Yes (software mode)
server_cert.pem Server certificate (pytest mTLS server) No
server_key.pem Server private key (pytest mTLS server) No

DS peripheral mode

For DS peripheral mode, see esp_secure_cert_data/ and the DS provisioning section in the top-level README.