Alexa-AWS wrote on June 19, 2018:
Hi,
As you’ve pointed out, the ESP32 OTA is not supported at this time. Answering question #1, you can do an OTA using the Windows Simulator project.
For your question #3, yes, there are 2 different sets of credentials needed for OTA
(1) Device private key/certificate (needed for the TLS communication with AWS IoT)
(2) Code signing credentials (needed to sign and verify the OTA update code)
For the first set of credentials, you should be able to use the same device credentials as you used for the MQTT demo before. You may also create new credentials using your own custom CA (but I would first try with your current credentials that you have already confirmed work with the MQTT publish demo before doing at OTA with your own Custom CA).
For the code signing credentials, you will also need to generate an additional set to sign and verify your OTA image. For Windows Simulator, our code signing services expect a RSA-2048 key and use SHA-256 as the hash.
First, create a document “cert_config.txt”
[ req ]
prompt = no
distinguished_name = my dn
[ my dn ]
commonName = test_signer@youremail.com
[ my_exts ]
keyUsage = digitalSignature
extendedKeyUsage = codeSigning
Next, using OpenSSL, you can call the following to generate your code signing private key and certificate.
openssl req -x509 -config cert_config.txt -extensions my_exts -nodes -days 365 -newkey rsa:2048 -keyout rsasigner.key -out rsasigner.crt
You can either import the key and certificate (rsasigner.key and rsasigner.crt) into ACM directly, or in the job console, under “Code signing certificate” you can select “Import a Certificate” and copy and paste the contents of rsasigner.key and rsasigner.crt into the “Certificate private key” and “Certificate” sections, respectively. You can leave the Certificate chain blank.
–> In the IoT Create OTA Job Console, select the device who’s credentials you’ve already confirmed work.
–> Leave the first radio button on “Sign a new firmware image for me”.
–> In Device hardware platform select “Windows Simulator” and for “Pathname of code signing certificate on device” tell the Windows Simulator project where to find the rsasigner.crt file relative to your solution file. (I like to copy my rsasigner.crt file into the same folder as my aws_demos.sln, and then just type rsasigner.crt in that box!).
----> Regarding question #2, when the device (or Windows Simulator) receives a new firmware image, it must verify that the image came from an authorized source. It uses the code signing certificate path to figure out which public key to use.
–> The pathname of the firmware image on your device is the name of the new Windows executable that will be downloaded. If you provide just a file name (like newImage.exe) then this file will be placed in the same folder as your solution.
Best,
Alexa