I'm working on an embedded system that performs requests to a REST API with HTTPS. In my understanding, the SSL certificate of the server is verified using a bundle of trusted certificates stored locally. In my case they are in a Debian-based package called ca-certificates. This package is from 2019 so I wonder if I have to worry about this package being obsolete one day. If yes, when?
1 Answer
This package is from 2019 so I wonder if I have to worry about this package being obsolete one day. If yes, when?
The CA certificates in the package have a limited life time. For details look at the expiration times in the specific certificates. Also new publicly trusted CA might be added or less trusted ones removed.
In general it might not be a good idea in the first place to simply trust all public CA in your embedded system in the first place. If there is a fixed endpoint for your device than certificates and CA used there should be trusted instead of the whole world. When doing this the problem gets also smaller, i.e. you only have to worry about the specific CA used and not arbitrary changes to the trusted CA store.
answered Jun 10, 2021 at 7:26
