Skip to content

Commit b127bd1

Browse files
tyethtyeth
committed
docs(ssl): Update TLS/SSL certificate fingerprint instructions
1 parent c1f6b1b commit b127bd1

File tree

1 file changed

+19
-5
lines changed

1 file changed

+19
-5
lines changed

examples/adafruitio_secure_esp8266/adafruitio_secure_esp8266.ino

Lines changed: 19 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -44,10 +44,24 @@ WiFiClientSecure client;
4444
Adafruit_MQTT_Client mqtt(&client, AIO_SERVER, AIO_SERVERPORT, AIO_USERNAME, AIO_KEY);
4545

4646
// io.adafruit.com SHA1 fingerprint
47-
/* WARNING - This value was last updated on 07/14/25 and may not be up-to-date!
48-
* If security is a concern for your project, we strongly recommend users impacted by this moving
49-
* to ESP32 which has certificate verification by storing root certs and having a
50-
* chain-of-trust rather than doing individual certificate fingerprints.
47+
/* WARNING - This value was last updated on 07/14/25 and may not be up-to-date (6monthly updates)!
48+
* If security is a concern for your project, we strongly recommend users impacted by this move
49+
* to a larger MCU like ESP32 which has certificate verification by storing root certs and having
50+
* a chain-of-trust rather than doing individual certificate fingerprints.
51+
* Mac/Linux/WSL users run the following command to get the latest fingerprint (with OpenSSL):
52+
```
53+
openssl s_client -connect [io.adafruit.com]:8883 -showcerts </dev/null 2>/dev/null | openssl x509 -fingerprint -noout | sed 's/:/ /g' | sed 's/SHA1 Fingerprint=//'
54+
```
55+
* Windows users can use powershell and not need to install OpenSSL:
56+
```
57+
$tcpClient = New-Object System.Net.Sockets.TcpClient("io.adafruit.com", 8883);
58+
$sslStream = New-Object System.Net.Security.SslStream($tcpClient.GetStream(), $false, ({$True}));
59+
$sslStream.AuthenticateAsClient("io.adafruit.com");
60+
$cert = $sslStream.RemoteCertificate;
61+
$fingerprint = ($cert.GetCertHashString());
62+
Write-Output ($fingerprint -replace '(.{2})', '$1 ' -replace ' $', '');
63+
```
64+
* Replace the value below with your updated SHA1 fingerprint for io.adafruit.com:
5165
*/
5266
static const char *fingerprint PROGMEM = "47 D2 CB 14 DF 38 97 59 C6 65 1A 1F 3E 00 1E 53 CC A5 17 E0";
5367

@@ -84,7 +98,7 @@ void setup() {
8498
Serial.println("WiFi connected");
8599
Serial.println("IP address: "); Serial.println(WiFi.localIP());
86100

87-
// check the fingerprint of io.adafruit.com's SSL cert
101+
// check the fingerprint of io.adafruit.com's SSL cert (*see above to update)
88102
client.setFingerprint(fingerprint);
89103
}
90104

0 commit comments

Comments
 (0)