From 61c9847af8e27f066c0c86c45183ce4e420be414 Mon Sep 17 00:00:00 2001
From: Tianming Chen <tianmc@amazon.com>
Date: Wed, 23 Feb 2022 15:38:30 -0800
Subject: [PATCH] Added documentation on handling OTA code signing certificate

---
 README.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/README.md b/README.md
index 50fa186e5d..406aecc18b 100755
--- a/README.md
+++ b/README.md
@@ -507,6 +507,9 @@ For setting up the Greengrass local auth demo, see [the README in the demo folde
 
 1. To perform a successful OTA update, you need to complete the prerequisites mentioned [here](https://docs.aws.amazon.com/freertos/latest/userguide/ota-prereqs.html).
 1. A code signing certificate is required to authenticate the update. A code signing certificate based on the SHA-256 ECDSA algorithm will work with the current demos. An example of how to generate this kind of certificate can be found [here](https://docs.aws.amazon.com/freertos/latest/userguide/ota-code-sign-cert-esp.html).
+1. The code signing certificate can be either baked into firmware as a string, or stored as a file.
+    1. For baked in certificate method, copy the certificate to signingcredentialSIGNING_CERTIFICATE_PEM in [ota_pal_posix.c](https://github.com/aws/aws-iot-device-sdk-embedded-C/blob/main/platform/posix/ota_pal/source/ota_pal_posix.c).
+    2. For file storage method, store the certificate as a file and supply the file path in "Path name of code signing certificate on device" field when creating the OTA job in AWS IoT Console.
 
 #### Scheduling an OTA Update Job