https://devzone.nordicsemi.com/f/nordic-q-a/122515/using-sha256-certificate-hasingHello. After some great struggles, we&#39;ve managed to enable WiFi and encrypted socket + TLS connection to google.com and various websites. Since then, we&#39;ve been looking into having a r1.pem that contains all trusted certificates. Since that entailsen-USTelligent Community 13Thu, 03 Jul 2025 07:36:36 GMThttps://devzone.nordicsemi.com/thread/541271?ContentTypeID=1Thu, 03 Jul 2025 07:36:36 GMT137ad170-7792-4731-bb38-c0d22fbe4515:a08ce8d7-b5eb-4c0a-ae1d-d24c186b49e6Elfving<p>Hi again Tudor&nbsp;<span class="emoticon" data-url="https://devzone.nordicsemi.com/cfs-file/__key/system/emoji/1f642.svg" title="Slight smile">&#x1f642;</span></p> <p>So this problem is something that is a bit beyond what we would typically provide support with.&nbsp;<span>It is not really an optimization supported by Mbed TLS nor Zephyr nor otherwise in NCS. You would of course be free to hack another solution, but it would be outside of the code we provide/support.</span></p> <p><span>Zephyr has <a href="https://docs.zephyrproject.org/latest/connectivity/networking/api/tls_credentials_shell.html">this TLS credentials module</a> to handle certs,&nbsp;this takes full cert and as already pointed would need a lot of memory, but if we are talking about taking a shortcut to store only fingerprints (like eg. ESP is providing), this does sound like an idea.</span></p> <p><span>That being said, I&nbsp;am trying to ask around if anyone has any feedback on the methodology you explain here.</span></p> <p><span>Regards,</span></p> <p><span>Elfving</span></p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/540789?ContentTypeID=1Sat, 28 Jun 2025 18:42:09 GMT137ad170-7792-4731-bb38-c0d22fbe4515:27d98961-a9f3-4839-923a-996aec5612a5Tudor B.<p>It&#39;s not burning, but it would be great if we can get it done by the end of next week so that we don&#39;t leave it like that for too long and forget what we were doing. :))</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/540608?ContentTypeID=1Thu, 26 Jun 2025 14:23:36 GMT137ad170-7792-4731-bb38-c0d22fbe4515:85d786bb-42a1-4637-b1eb-232c3748d377Elfving<p>Hi Tudor,&nbsp;</p> <p>I&#39;ll have to get back to you on this tomorrow or later this week - my go-to expert on this is currently a bit busy. Let me know if this is too urgent for that.</p> <p>Regards,</p> <p>Elfving</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/540538?ContentTypeID=1Thu, 26 Jun 2025 07:25:44 GMT137ad170-7792-4731-bb38-c0d22fbe4515:17965841-b605-49b6-8e0b-78ebc31afc89Emil Lenngren<p>Did you consider that most servers don&#39;t include a copy of the root certificate in the certificate chain they send? With only a fingerprint, you won&#39;t be able to verify the signature in the last certificate in the sent chain, if I&#39;m not mistaken.</p> <p>You should instead create a minium binary file containing a sorted list of root certificates having the lookup key set to the subject name (in DER format). A hash of this could maybe also work. It&#39;s enough if the value contains the raw public key and type (rsa, secp256r1 or secp384r1).</p> <p>Espressif uses this approach in their sdk: see&nbsp;<a href="https://docs.espressif.com/projects/esp-idf/en/stable/esp32/api-reference/protocols/esp_crt_bundle.html">docs.espressif.com/.../esp_crt_bundle.html</a> and&nbsp;<a href="https://github.com/espressif/esp-idf/blob/master/components/mbedtls/esp_crt_bundle/gen_crt_bundle.py.">github.com/.../gen_crt_bundle.py.</a></p><div style="clear:both;"></div>