15.3. Working with TLS certificates

The ssl module on the OpenMV Cam (built on mbedTLS) lets a script make encrypted, authenticated network connections. To do anything beyond plain encryption you need certificates. The pages in this section cover what they are, which key types and file formats the camera accepts, how to create self-signed certificates for development and obtain CA-signed ones for production, how to get them onto the camera and verify a remote server, how to protect the private key, and how certificate expiry and rotation affect a deployed device.

Note

Self-signed certificates are appropriate for development, testing, and closed deployments where you control both ends of the connection. For a service that arbitrary clients (browsers, phones, third parties) must trust without extra configuration you need a certificate signed by a public Certificate Authority; see CA-signed (publicly trusted) certificates.

• 15.3.1. Concepts: trust, keys, and file format
• 15.3.2. Prerequisites: OpenSSL and the clock
• 15.3.3. Self-signed certificates
• 15.3.4. CA-signed (publicly trusted) certificates
• 15.3.5. Verifying a public server (camera as client)
• 15.3.6. Operations: keys, expiry, and troubleshooting