• Registered: 2025-06-13
  • Posts: 2

Topic: Root certificates included in wolfSSL

Hello,

I was trying to search for this but it's not clear to me.

I am using wolfSSL from an ESP32 and it's working fine in my local network, I successfully integrated wolfSSL into my ESP32 client that connects to a Java server and everything works flawlessly.

Now I have to connect to that same Java server but remotely. I know I could just use the root cert of my server (I am using Let's Encrypt) instead of the local cert I was using up to now and it should work.

Anyways this requires to renew this certificate from time to time to avoid expiration and was wondering if wolfSSL includes some kind of bundle with most used root certificates. Espressif already does this but it seems this bundle is not available when using wolfSSL according to what they specifically states in the documentation (https://docs.espressif.com/projects/esp … undle.html):

The bundle is currently not available when using WolfSSL.

Is there a way to automatically include most common certificates in wolfSSL?

Share

  • Registered: 2021-08-12
  • Posts: 139

Re: Root certificates included in wolfSSL

Hello,
My name is Anthony and I am a member of the wolfSSL team.
The page you reference points to a place where you can download the certificate bundle. 

If you get them and put them in a directory, you can then use wolfSSL_CTX_load_verify_locations() to specify that directory location and it will have those.  If your system has a way to automatically update the certificates you can tell wolfSSL to check that location with the same API.

Warm regards, Anthony

Share

3 Reply by gojimmypi (edited by gojimmypi 2025-06-13 09:39:50)

  • Registered: 2022-05-24
  • Posts: 27

Re: Root certificates included in wolfSSL

Hi rocotocloc & Anthony,

There are two different types of "Certificate Bundles."

The first is the standard, RFC-compliant format - a simple list of certificates - as Anthony described in his reply. This is the preferred and official method.

The second is Espressif’s (more specifically, mbedTLS’s) custom, proprietary format used exclusively in the ESP-IDF. This format is generated at build time using the gen_crt_bundle.py Python script, located here:

https://github.com/espressif/esp-idf/tr … crt_bundle

Given the error message, I assume this is the Certificate Bundle method you are referring to?

We added support for this Espressif-style Certificate Bundle to wolfSSL last year:

https://github.com/wolfSSL/wolfssl/pull/7936

And just this week, we added improved support for PlatformIO Certificate Bundles:

https://github.com/wolfSSL/wolfssl/pull/8847

Currently, some minor modifications to the ESP-IDF are needed to properly link wolfSSL with the esp-tls library when using Certificate Bundle support. These changes can be found in my fork here:

https://github.com/gojimmypi/esp-idf/tree/my_531

I still need to submit a pull request upstream to add this support to the official Espressif releases. The branch above targets ESP-IDF v5.3.1. Unless otherwise requested, my first PR will aim to port the changes to the latest master (v5.5).

If this is for a commercial product, please feel free to contact us at support [at] wolfssl.com and/or open a GitHub issue.

Thank you for your interest in wolfSSL,

Jim

Edit: for reference here are the files changed between my ESP-IDF branch and upstream:

$ git diff --name-only c8fc5f6 041cd42
.github/workflows/release_zips.yml
.gitignore
README.md
components/esp-tls/CMakeLists.txt
components/esp-tls/Kconfig
components/esp-tls/esp-tls-crypto/esp_tls_crypto.c
components/esp-tls/esp_tls.c
components/esp-tls/esp_tls.h
components/esp-tls/esp_tls_wolfssl.c
components/esp-tls/private_include/esp_tls_private.h
components/esp-tls/private_include/esp_tls_wolfssl.h
components/esp_http_client/esp_http_client.c
components/tcp_transport/transport_ssl.c
package.json
version.txt

Share

4 Reply by rocotocloc (edited by rocotocloc 2025-06-15 23:46:13)

  • Registered: 2025-06-13
  • Posts: 2

Re: Root certificates included in wolfSSL

Hello,

Yes @gojimmypi, I am referring to Espressif mbedTLS certificates. This is a very cool feature by Espressif since this bundle is automatically managed by them and already included in the build, so I don't have to worry about updating certificates myself.

The message I indicated:

The bundle is currently not available when using WolfSSL.

is not an error I got but just a simple warning message Espressif indicates in their docs: https://docs.espressif.com/projects/esp … undle.html

So by "We added support for this Espressif-style Certificate Bundle to wolfSSL last year" do you mean I can use that propietary Espressif bundle at the moment? I mean just loading the certificates in that bundle through regular functions like "wolfSSL_CTX_load_verify_buffer" as pointed out by @anthony?


Thank you very much.

Share

  • Registered: 2022-05-24
  • Posts: 27

Re: Root certificates included in wolfSSL

Hi @rocotocloc

do you mean I can use that propietary Espressif bundle at the moment?

Well, that depends. Basically yes, but with an ESP-IDF update or patch.

The wolfSSL PR 7936 that I referred to needs a modified ESP-IDF. One option is the my_531 branch mentioned below.

I also put up this PR at Espressif yesterday for the ESP-IDF v5.5 beta-1:

https://github.com/espressif/esp-idf/pull/16145

Additionally, I should point out that the bundles are *not* compatible between mbedTLS and wolfSSL. This is not an issue for ESP-IDF builds, as included in the upstream PR, I also have a wolfSSL-specific python script gen_crt_bundle.py that runs at build time.

See:

https://github.com/wolfSSL/wolfssl/tree … crt_bundle

I've also added some features like manually specifying a bundle file. This was primarily for PlatformIO builds, but others will likely find it useful as well.

Can you tell me more about your project? Is this for a commercial product? If so we can prioritize helping you with an interim solution until the upstream Espressif code is merged. Please send a message to support [at] wolfssl.com

Share