Introduction

HTTP is a protocol used to enable communication between web browsers and servers. A secure variation of this protocol is HTTPS, which adds encryption to protect data exchanged between the client and the server. This ensures that even if someone intercepts the communication, they cannot understand the transmitted information.

In embedded systems and MCU-based applications, libraries such as mbedTLS are commonly used to implement secure communication. These libraries rely on cryptographic keys and digital certificates.

For production environments, certificates are typically signed by a Certificate Authority (CA), which guarantees their authenticity and allows web browsers to trust the connection. However, when a certificate is generated manually (self-signed), web browsers do not inherently trust it. Despite this, self-signed certificates are a practical option for internal or development use cases, since the communication remains encrypted. Additionally, it is possible to configure client devices to trust these certificates when required.

Download OpenSSL

openssl --version

Preparation

Create Keys

NOTE: Please replace %%Name%% according to your preference.
Create a private key for the Server Certificate

openssl genrsa -out %%KeyName%%.key 2048

Create a private key to simulate Certificate Authority (CA)

openssl genrsa -out %%CAKeyName%%.key 2048

Create Certificate Authority

Generate a self-signed CA certificate:

openssl req -x509 -new -nodes -key %%CAKeyName%%.key -sha256 -days 3650 -out %%CAName%%.crt

Create Server Certificate

Config file to request certificate

[req]
default_bits = 2048
prompt = no
distinguished_name = dn
req_extensions = v3_req

[dn]
C=%%Country%%
ST=%%State%%
L=%%City%%
O=%%Owner%%
OU=%%Division%%
CN=%%CommonName%%

[v3_req]
subjectAltName = @alt_names

[alt_names]
IP.1 = %%ServerIP%%

Generate Certificate Signing Request (CSR)

openssl req -new -key %%KeyName%%.key -out %%CertificateRequestName%%.csr -config %%ConfigFileName%%.cnf

Sign Certificate with simulated CA

openssl x509 -req -in %%CertificateRequestName%%.csr -CA %%CAName%%.crt -CAkey %%CAKeyName%%.key -CAcreateserial -out %%CertificateName%%.crt -days 365 -extensions v3_req -extfile %%ConfigFileName%%.cnf

Prepare to use with mbedTLS

Convert private Key to DER (Distinguished Encoding Rules)

openssl rsa  -in %%KeyName%%.key -outform DER -out %%KeyName%%_key.der

Convert Certificate to DER (Distinguished Encoding Rules)

openssl x509 -in %%CertificateName%%.crt -outform DER -out %%CertificateName%%.der

Convert Key DER to array in a source file

xxd -i %%KeyName%%_key.der > %%KeyName%%_key.c

Convert Certificate DER to array in a source file

xxd -i %%CertificateName%%.der > %%CertificateName%%_cert.c

Install CA Certificate (Optional – Avoid Browser Warnings)

To prevent browser warnings, install the CA certificate on the client device (PC, phone, etc.).

1. Double-click the CA certificate file (.crt).
2. Click Install Certificate.
3. Select Local Machine.
4. Choose Place all certificates in the following store.
5. Click Browse and select Trusted Root Certification Authorities.
6. Click Next → Finish.

After this step, the system will trust certificates signed by this CA.