diff --git a/tasmota/local_ca_data_sample.h b/tasmota/local_ca_data_sample.h
new file mode 100644
index 000000000..160e362ad
--- /dev/null
+++ b/tasmota/local_ca_data_sample.h
@@ -0,0 +1,51 @@
+/*
+ local_ca_sample.h - sample file for embedding a local CA certificate
+
+ Copyright (C) 2021 Theo Arends
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see .
+*/
+
+/*
+To generate a version of this file containing data for your root certificate,
+run the following command from a Linux or Cygwin bash shell, assuming that a
+copy of brssl (or brssl.exe) is in the directory where the EasyRSA shell script
+is located.
+
+./brssl ta pki/ca.crt | sed -e '/br_x509/,+999 d' >local_ca_data.h
+
+Then copy local_ca_data.h into the same directory as user_config_override.
+
+Add this line to user_config_override.h:
+
+#define INCLUDE_LOCAL_CERT
+
+Be sure to generate both files: local_ca_data.h, and local_ca_descriptor.h
+*/
+
+//
+// this is what the result will look like, except there will be
+// a lot of data bytes defined in the first three arrays
+//
+static const unsigned char PROGMEM TA0_DN[] = {
+ // variable number of bytes go here (typically 100-140 or so) for the DN
+};
+
+static const unsigned char PROGMEM TA0_RSA_N[] = {
+ // 256 bytes go here for the public key modulus
+};
+
+static const unsigned char PROGMEM TA0_RSA_E[] = {
+ // 3 bytes go here for the public key exponent
+};
diff --git a/tasmota/local_ca_descriptor_sample.h b/tasmota/local_ca_descriptor_sample.h
new file mode 100644
index 000000000..3d4481981
--- /dev/null
+++ b/tasmota/local_ca_descriptor_sample.h
@@ -0,0 +1,50 @@
+/*
+ local-ca-sample.h - sample file for embedding a local CA certificate
+
+ Copyright (C) 2021 Theo Arends
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see .
+*/
+
+/*
+To generate a version of this file containing data for your root certificate,
+run the following command from a Linux or Cygwin bash shell, assuming that a
+copy of brssl (or brssl.exe) is in the directory where the EasyRSA shell script
+is located.
+
+./brssl ta pki/ca.crt | sed -e '1,/br_x509/ d' -e '/};/,+999 d' >local_ca_descriptor.h
+
+Then copy local_ca_descriptor.h into the same directory as user_config_override.
+
+Add this line to user_config_override.h:
+
+#define INCLUDE_LOCAL_CERT
+
+Be sure to generate both files: local_ca_data.h, and local_ca_descriptor.h
+*/
+
+//
+// this is what the result will look like
+//
+ {
+ { (unsigned char *)TA0_DN, sizeof TA0_DN },
+ BR_X509_TA_CA,
+ {
+ BR_KEYTYPE_RSA,
+ { .rsa = {
+ (unsigned char *)TA0_RSA_N, sizeof TA0_RSA_N,
+ (unsigned char *)TA0_RSA_E, sizeof TA0_RSA_E,
+ } }
+ }
+ }
diff --git a/tasmota/tasmota_ca.ino b/tasmota/tasmota_ca.ino
index ce78760b6..007685863 100644
--- a/tasmota/tasmota_ca.ino
+++ b/tasmota/tasmota_ca.ino
@@ -17,12 +17,30 @@
along with this program. If not, see .
*/
-// The below is currenlty not used, CA validation takes too much memory and compute time.
-// Please use fingerprint validation instead
-// However, the CA are available below for future use if it appears to be useful
-
+//
+// Certificates are stored in flash (PROGMEM) to avoid consuming valuable RAM.
+//
+// To save space in flash, the Let's Encrypt and Amazon AWS certificates may be
+// individually omitted if TLS is enabled, but the certificates are not used.
+// This is typically the case when a locally generated root certificate is used
+// for TLS authentication.
+//
+// To omit these certificates, define one or both of the
+// OMIT_LETS_ENCRYPT_CERT and/or OMIT_AWS_CERT macros in user_config_override.h.
+//
+// To include a locally generated root certificate, define the
+// INCLUDE_LOCAL_CERT macro in user_config_override.h.
+//
+// See the files tasmota/local_ca_data_sample.h and tasmota/local_ca_descriptor_sample.h
+// in the Tasmota source for instructions for generating them from a local root
+// certificate in .crt format.
+//
+// Note: Using full certificate verification increases the amount of time
+// required to create a TLS connection, compared to fingerprint validation.
+//
#if defined(USE_TLS)
+#if ! defined(OMIT_LETS_ENCRYPT_CERT)
/*********************************************************************************************\
* LetsEncrypt R3 certificate, RSA 2048 bits SHA 256, valid until 20250915
*
@@ -71,18 +89,10 @@ static const unsigned char LetsEncryptR3_RSA_E[] = {
0x01, 0x00, 0x01
};
-static const br_x509_trust_anchor PROGMEM LetsEncryptR3_TA = {
- { (unsigned char *)LetsEncryptR3_DN, sizeof LetsEncryptR3_DN },
- BR_X509_TA_CA,
- {
- BR_KEYTYPE_RSA,
- { .rsa = {
- (unsigned char *)LetsEncryptR3_RSA_N, sizeof LetsEncryptR3_RSA_N,
- (unsigned char *)LetsEncryptR3_RSA_E, sizeof LetsEncryptR3_RSA_E,
- } }
- }
-};
+#endif
+
+#if ! defined(OMIT_AWS_CERT)
/*********************************************************************************************\
* Amazon Root CA, RSA 2048 bits SHA 256, valid until 20380117
*
@@ -132,20 +142,16 @@ static const unsigned char PROGMEM AmazonRootCA1_RSA_E[] = {
0x01, 0x00, 0x01
};
-const br_x509_trust_anchor PROGMEM AmazonRootCA1_TA = {
- { (unsigned char *)AmazonRootCA1_DN, sizeof AmazonRootCA1_DN },
- BR_X509_TA_CA,
- {
- BR_KEYTYPE_RSA,
- { .rsa = {
- (unsigned char *)AmazonRootCA1_RSA_N, sizeof AmazonRootCA1_RSA_N,
- (unsigned char *)AmazonRootCA1_RSA_E, sizeof AmazonRootCA1_RSA_E,
- } }
- }
-};
+#endif
-// cumulative CA
+#if defined(INCLUDE_LOCAL_CERT)
+#include
+#endif
+//
+// ========== cumulative CA =================
+//
const br_x509_trust_anchor PROGMEM Tasmota_TA[] = {
+#if ! defined(OMIT_LETS_ENCRYPT_CERT)
{
{ (unsigned char *)LetsEncryptR3_DN, sizeof LetsEncryptR3_DN },
BR_X509_TA_CA,
@@ -157,7 +163,13 @@ const br_x509_trust_anchor PROGMEM Tasmota_TA[] = {
} }
}
}
- ,
+
+#if ! defined(OMIT_AWS_CERT) || defined(INCLUDE_LOCAL_CERT)
+ ,
+#endif
+#endif
+
+#if ! defined(OMIT_AWS_CERT)
{
{ (unsigned char *)AmazonRootCA1_DN, sizeof AmazonRootCA1_DN },
BR_X509_TA_CA,
@@ -169,11 +181,26 @@ const br_x509_trust_anchor PROGMEM Tasmota_TA[] = {
} }
}
}
+
+#if defined(INCLUDE_LOCAL_CERT)
+ ,
+#endif
+#endif
+
+
+#if defined(INCLUDE_LOCAL_CERT)
+#include
+#endif
+
};
const size_t Tasmota_TA_size = nitems(Tasmota_TA);
+
+#if defined(USE_TELEGRAM)
+
// we add a separate CA for telegram
+
/*********************************************************************************************\
* GoDaddy Daddy Secure Certificate Authority - G2, RSA 2048 bits SHA 256, valid until 20220523
*
@@ -231,5 +258,6 @@ const br_x509_trust_anchor GoDaddyCAG2_TA PROGMEM = {
} }
}
};
+#endif
#endif // defined(USE_TLS)