OTA F/W Update Certificate Expiry

[BivvyCoder]

I'm starting to add OTA update to my project, using the Espressive Native OTA code as a starting point.
https://github.com/espressif/esp-idf/bl ... /README.md

I've generated the server certificate and key, with a 365 day expiry as per the example.

Code: Select all

openssl req -x509 -newkey rsa:2048 -keyout ca_key.pem -out ca_cert.pem -days 365 -nodes

Everything is working fine, but I'm wondering what happens when this certificate expires if the firmware has not been updated?

Presumably the process will fail as the certificate has expired.
If I generate new server certificates then the OTA process will fail as the device and server certificates won't match.

One option would be to set the expiry to 10 years (or longer) but that reduces the security.