• Registered: 2025-06-13
  • Posts: 8

Topic: Root certificates included in wolfSSL

Hello,

I was trying to search for this but it's not clear to me.

I am using wolfSSL from an ESP32 and it's working fine in my local network, I successfully integrated wolfSSL into my ESP32 client that connects to a Java server and everything works flawlessly.

Now I have to connect to that same Java server but remotely. I know I could just use the root cert of my server (I am using Let's Encrypt) instead of the local cert I was using up to now and it should work.

Anyways this requires to renew this certificate from time to time to avoid expiration and was wondering if wolfSSL includes some kind of bundle with most used root certificates. Espressif already does this but it seems this bundle is not available when using wolfSSL according to what they specifically states in the documentation (https://docs.espressif.com/projects/esp … undle.html):

The bundle is currently not available when using WolfSSL.

Is there a way to automatically include most common certificates in wolfSSL?

Share

  • Registered: 2021-08-12
  • Posts: 140

Re: Root certificates included in wolfSSL

Hello,
My name is Anthony and I am a member of the wolfSSL team.
The page you reference points to a place where you can download the certificate bundle. 

If you get them and put them in a directory, you can then use wolfSSL_CTX_load_verify_locations() to specify that directory location and it will have those.  If your system has a way to automatically update the certificates you can tell wolfSSL to check that location with the same API.

Warm regards, Anthony

Share

3 Reply by gojimmypi (edited by gojimmypi 2025-06-13 09:39:50)

  • Registered: 2022-05-24
  • Posts: 31

Re: Root certificates included in wolfSSL

Hi rocotocloc & Anthony,

There are two different types of "Certificate Bundles."

The first is the standard, RFC-compliant format - a simple list of certificates - as Anthony described in his reply. This is the preferred and official method.

The second is Espressif’s (more specifically, mbedTLS’s) custom, proprietary format used exclusively in the ESP-IDF. This format is generated at build time using the gen_crt_bundle.py Python script, located here:

https://github.com/espressif/esp-idf/tr … crt_bundle

Given the error message, I assume this is the Certificate Bundle method you are referring to?

We added support for this Espressif-style Certificate Bundle to wolfSSL last year:

https://github.com/wolfSSL/wolfssl/pull/7936

And just this week, we added improved support for PlatformIO Certificate Bundles:

https://github.com/wolfSSL/wolfssl/pull/8847

Currently, some minor modifications to the ESP-IDF are needed to properly link wolfSSL with the esp-tls library when using Certificate Bundle support. These changes can be found in my fork here:

https://github.com/gojimmypi/esp-idf/tree/my_531

I still need to submit a pull request upstream to add this support to the official Espressif releases. The branch above targets ESP-IDF v5.3.1. Unless otherwise requested, my first PR will aim to port the changes to the latest master (v5.5).

If this is for a commercial product, please feel free to contact us at support [at] wolfssl.com and/or open a GitHub issue.

Thank you for your interest in wolfSSL,

Jim

Edit: for reference here are the files changed between my ESP-IDF branch and upstream:

$ git diff --name-only c8fc5f6 041cd42
.github/workflows/release_zips.yml
.gitignore
README.md
components/esp-tls/CMakeLists.txt
components/esp-tls/Kconfig
components/esp-tls/esp-tls-crypto/esp_tls_crypto.c
components/esp-tls/esp_tls.c
components/esp-tls/esp_tls.h
components/esp-tls/esp_tls_wolfssl.c
components/esp-tls/private_include/esp_tls_private.h
components/esp-tls/private_include/esp_tls_wolfssl.h
components/esp_http_client/esp_http_client.c
components/tcp_transport/transport_ssl.c
package.json
version.txt

Share

4 Reply by rocotocloc (edited by rocotocloc 2025-06-15 23:46:13)

  • Registered: 2025-06-13
  • Posts: 8

Re: Root certificates included in wolfSSL

Hello,

Yes @gojimmypi, I am referring to Espressif mbedTLS certificates. This is a very cool feature by Espressif since this bundle is automatically managed by them and already included in the build, so I don't have to worry about updating certificates myself.

The message I indicated:

The bundle is currently not available when using WolfSSL.

is not an error I got but just a simple warning message Espressif indicates in their docs: https://docs.espressif.com/projects/esp … undle.html

So by "We added support for this Espressif-style Certificate Bundle to wolfSSL last year" do you mean I can use that propietary Espressif bundle at the moment? I mean just loading the certificates in that bundle through regular functions like "wolfSSL_CTX_load_verify_buffer" as pointed out by @anthony?


Thank you very much.

Share

  • Registered: 2022-05-24
  • Posts: 31

Re: Root certificates included in wolfSSL

Hi @rocotocloc

do you mean I can use that propietary Espressif bundle at the moment?

Well, that depends. Basically yes, but with an ESP-IDF update or patch.

The wolfSSL PR 7936 that I referred to needs a modified ESP-IDF. One option is the my_531 branch mentioned below.

I also put up this PR at Espressif yesterday for the ESP-IDF v5.5 beta-1:

https://github.com/espressif/esp-idf/pull/16145

Additionally, I should point out that the bundles are *not* compatible between mbedTLS and wolfSSL. This is not an issue for ESP-IDF builds, as included in the upstream PR, I also have a wolfSSL-specific python script gen_crt_bundle.py that runs at build time.

See:

https://github.com/wolfSSL/wolfssl/tree … crt_bundle

I've also added some features like manually specifying a bundle file. This was primarily for PlatformIO builds, but others will likely find it useful as well.

Can you tell me more about your project? Is this for a commercial product? If so we can prioritize helping you with an interim solution until the upstream Espressif code is merged. Please send a message to support [at] wolfssl.com

Share

  • Registered: 2025-06-13
  • Posts: 8

Re: Root certificates included in wolfSSL

Hello @gojimmypi,

Yes, this is a commercial project, we build equipments for industrial laundries. We're using ESP32 controllers at the moment and customers can control their equipments remotely, that's why I am integrating wolfSSL.

Since this is in development stage, I think I can use a regular PEM file with root certs by the moment, apart from the already included by Espressif with its own propietary format. I'll use one single cert bundle when your PR is merged in Espressif.

By the way I am trying to make tests using that root bundle file but getting some problems, already posted another topic here: https://www.wolfssl.com/forums/topic233 … certs.html

Thanks again for your help

Share

  • Registered: 2022-05-24
  • Posts: 31

Re: Root certificates included in wolfSSL

Hi @rocotocloc

That sounds interesting! Even for just development stage products, we might be able to provide additional pre-sales support to help with integration for your commercial product. I definitely encourage you to send a message to support [at] wolfssl.com

Yes, I understand your reluctance to use a custom toolchain. If you are only talking to a limited number of servers, a fixed PEM certificate is probably the better way to go. Not only is it more standard, but on an embedded device better performance, too.

To clarify: it is only the ESP-IDF build-time-generated Certificate Bundle binary file that is not compatible between mbedTLS and wolfSSL. I believe both properly support a PEM root CA files directly (those not assembled into a single file by the python script). wolfSSL certainly does. For reference, this is the difference:

https://github.com/wolfSSL/wolfssl/blob … dle.c#L152

I'll go reply to the other forum question now regarding the certificate validation failure.

You may also be interested in some other recent changes to wolfSSL for Espressif support, such as this PR updating example for Post Quantum Key Exchange (ML-KELM) support:

https://github.com/wolfSSL/wolfssl/pull/8813

btw - are you using the wolfSSL source directly, or with a Managed Component?

https://components.espressif.com/compon … sl/wolfssl

Best Regards,

Jim

p.s. There are other wolfSSL products that might be useful for your project: wolfSSH, wolfMQTT, wolfTPM

Share