# Certificate Setup (Dev)

This backend requires **mutual TLS** (client certs). For local development, use the provided script:

```bash
cd certs
./gen-certs.sh            # creates CA, server cert (localhost), client cert, and server.pfx
```

Outputs:
- `ca.crt` — CA certificate. Embed this in the ESP32 firmware as `SERVER_CA_PEM`.
- `server.pfx` — for Kestrel (password: `CERT_PASSWORD`, defaults to `changeit`).
- `server.crt` / `server.key` — PEM versions.
- `client.crt` / `client.key` — sample device certificate (PEM) and `client.pfx`.