Sign Secure Boot V2 images with OpenSSL and Esptool from Espressif using PKCS11 library
Esptool is a Python-based, open-source, platform-independent utility to communicate with the ROM bootloader in Espressif chips.
Integrate OpenSSL with DigiCert® Software Trust Manager’s PKCS11 library, then use OpenSSL, to sign the image using Espressif’s detached signature functionality. Use these instructions set up, sign and verify signatures using the Esptool utility script bundled with the Espressif build system.
Prerequisites
DigiCert ONE client authentication certificate
Software Trust Manager keypair
OpenSSL with DigiCert® Software Trust Manager PKCS11 library
Esptool (version 4.5 or higher)
Install Esptool
To install Esptool, run the following command from command line:
pip install esptool[hsm]
Note
For additional context, refer to Installation and dependancies.
Install and configure Software Trust Manager PKCS11 with OpenSSL
Follow these instructions to install OpenSSL and configure it with Software Trust Manager PKCS11 library.
Sign with OpenSSL (DGST)
Sign with espsecure.py
To sign, use the command:
espsecure.py sign_data --version 2 --pub-key <public-key-from-keypair-used-to-sign> --signature <signature-output-file-from-openssl> --output <final-signed-image-output-name> <input-image>
Command example: