Skip to main content

Configure and use EST

Enrollment over Secure Transport (EST) is a popular protocol for certificate issuance and renewal. EST (RFC 7030) is a certificate management protocol designed to securely issue and manage certificates for devices and applications over HTTPS. EST simplifies the process of enrolling devices for digital certificates, providing a robust mechanism for requesting, renewing, and retrieving certificates. This protocol ensures the confidentiality and integrity of the communication between the client and the certificate authority (CA) using TLS (Transport Layer Security).

DigiCert® Device Trust Manager supports the following EST endpoints:

  • /simpleenroll

  • /simplereenroll

  • /cacerts

  • /csrattrs

  • /serverkeygen

Both TrustCore SDK and TrustEdge include an EST client that works with Device Trust Manager.

Before you begin

Before configuring EST in Device Trust Manager, contact your DigiCert account representative to set up your account.

A DigiCert system administrator must configure a Root CA and an IntermediateCA in the DigiCert® Private CA. If you are missing these, contact your DigiCert account representative.

Ensure you've reviewed the following concepts:

Configure EST

Perform the following steps to configure EST:

  1. Sign in to DigiCert® ONE as a Solution Administrator.

  2. In DigiCert ONE, in the Manager menu (grid at top right), select Device Trust.

  3. In the Device Trust Manager menu, select Authentication management > Authentication policies.

  4. Select Create authentication policy.

  5. Create an Authentication Policy and add authentication credentials to the authentication policy.

    See Create an authentication policy and Add credentials to an authentication policy for a detailed procedure.

  6. In the Device Trust Manager menu, select Certificate management > Certificate management policies > Create certificate management policy.

  7. Create a certificate management policy.

    See Create a certificate management policy for a detailed procedure.

  8. Open the General settings of the certificate management policy wizard.

  9. Enter a Name for the certificate management policy.

  10. Choose a Division to assign the policy to.

  11. Select EST (Enrollment over Secure Transport) from the certificate management model.

  12. Select an Authentication policy if required.

  13. Click Next to proceed to the Certificate settings page.

  14. Select an End entity certificate profile that defines the certificate structure, including subject fields, extensions, and validity period.

  15. Select an Intermediate certificate profile from the available options. This intermediate CA will sign the certificates issued under this policy.

  16. Select an Issuing CA from the available options. This is the Certificate Authority that will sign the certificates issued under this policy.

  17. Set the Keypair generation preferences.

    You can set whether you want the private key to be generated on the device or on the server-side and passed on to the device in the response to the EST certificate request.

  18. Click Next to proceed to Usage Restrictions .

    • Allowed IP addresses: Toggle to add and enter each IP address, IP address range, or wildcard IP addresses specify the IP addresses or ranges that are permitted to request certificates. This can include single IPs, ranges, or wildcard IPs.

    • Operational hours: Toggle to set the operational hours by choosing a Time zone and defining the Hours during which certificate requests are allowed.

    • Operational dates: Toggle to set a start date (Valid from) and an end date (Valid to) for when the certificate management policy can be used.

  19. Click Finish to complete the certificate management policy.

Device group settings

If you selected This certificate management policy will always be used with a device group during the setup of the Certificate Management Policy, then you must link the certificate management policy to a device group and map one of the certificate fields to the device’s identity.

  1. In the Device Trust Manager menu, select Device management > Device groups.

  2. Click the name of a device group to view the Device group details.

  3. Select the Certificate Management Policy tab.

  4. Click Assign certificate management policy.

  5. Select whether the certificate management policy is for issuing a bootstrap certificate or an operational certificate.

  6. Enter a name for the assignment of the certificate management policy to this device group.

Obtain the EST endpoint

Perform the following steps to obtain the EST endpoint to use it with an EST client.

  1. In the Certificate Management > Certificate Management Policies, click on the name of the Certificate Management Policy you configured for EST.

  2. Navigate to the EST section of the Certificate Management Policy details page.

  3. Search for “Enroll” endpoint.

Note that if you are using a Device Group with the Certificate Management Policy, then the Device Group ID is added to the end of the URL.

Use EST

Now that you have the EST endpoint and authentication method (enrollment passcode or authentication certificate), you can use them to perform an EST enrollment.

Both TrustCore SDK and TrustEdge include an EST client that works with Device Trust Manager.

Alternatively, you can also use curl to test the EST enrollment process, as shown in the following sections.

EST Enrollment Request

The client sends an enrollment request (CSR or private key request) to Device Trust Manager’s EST service over a secure HTTPS connection. This request includes the authentication information (password or client certificate) and the CSR regardless of whether the client or Device Trust Manager is configured to generate the private key.

The following is a sample CURL enroll with passcode authentication:

curl --location -X POST 'https://one.digicert.com/.well-known/est/cps/IOT_33fd0b45-3188-45ed-9458-6cedc8ccf509/simpleenroll' \ --header 'Authorization: Basic d1R2UXRrVUdjVTgxQWhWbW9kR0U=' \ --header 'Content-Type: text/plain' \ --data '-----BEGIN CERTIFICATE REQUEST----- MIICfjCCAWYCAQAwOTELMAkGA1UEBhMCVVMxCzAJBgNVBAoMAkRDMQwwCgYDVQQL DANJb1QxDzANBgNVBAMMBkNOLTAwMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAO3lmplQ9Q6PmYw1JMsr9NS5KKnqZAWuz7/En+R0J+b2hUXfuUUz4D2x CYqvNY6M4YSybi+khjZ2ON2ImFd61VvYMZ/46PENqNQ7o5taj9oJ8KiNrWtDIMt/ e0KNFly5HP8YYFJ2LOwj6ppS8xA+YFmYN0g6KU9UXOD0zpC2OAriVg8mSC2duUPl 4ZGl2MXkvYK46zTWGGuh/BMNWqPvUpOvB92xytPetEwUNoaFap2F7wf52ZR3g3I7 SuReBSSCH89h8ScKffQhYma7uksnQ4pxOfzKGyEexW7vpTX8lPNUzhlHsIlt7Cd1 mvutKahgBQSdP76okYbki1WZIWb4nTcCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IB AQCaOk5EFYcnQOt+sKLTV+CK67lcffqEd3u11pLgrikAOjKEQ/KijYUNrtCbrn+V qx+EHhQTQJ/H5QCk7D9WOv8sBHV/JBtCGVxM8pxJ7t/6dRVrTpz22hcYRRjULhzx YQj95fncYJ4Kjcd9vwWIdIUSBpdLk7L4nQqMUCuEhUGOzCSURZcprzqb2i2lLer6 en6JVE9BPKmWuCajl+VbrmVjsgGkcF7oTjFLbkBNP5vKYrpVWxZXa0gQ599FpvfF re5/4ILr49X6MJIDz/XX3zdaoVyXonQ+MtcjYHHmtdodu7tD5TVS7PuR7

The following is a sample CURL enroll with certificate authentication:

curl --key client.key --cert client.crt --location -X POST -v 'https://clientauth.one.digicert.com/.well-known/est/cps/IOT_33fd0b45-3188-45ed-9458-6cedc8ccf509/simpleenroll ' \ --header 'Content-Type: text/plain' \ --data '-----BEGIN CERTIFICATE REQUEST----- MIICfjCCAWYCAQAwOTELMAkGA1UEBhMCVVMxCzAJBgNVBAoMAkRDMQwwCgYDVQQL DANJb1QxDzANBgNVBAMMBkNOLTAwMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAO3lmplQ9Q6PmYw1JMsr9NS5KKnqZAWuz7/En+R0J+b2hUXfuUUz4D2x CYqvNY6M4YSybi+khjZ2ON2ImFd61VvYMZ/46PENqNQ7o5taj9oJ8KiNrWtDIMt/ e0KNFly5HP8YYFJ2LOwj6ppS8xA+YFmYN0g6KU9UXOD0zpC2OAriVg8mSC2duUPl 4ZGl2MXkvYK46zTWGGuh/BMNWqPvUpOvB92xytPetEwUNoaFap2F7wf52ZR3g3I7 SuReBSSCH89h8ScKffQhYma7uksnQ4pxOfzKGyEexW7vpTX8lPNUzhlHsIlt7Cd1 mvutKahgBQSdP76okYbki1WZIWb4nTcCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IB AQCaOk5EFYcnQOt+sKLTV+CK67lcffqEd3u11pLgrikAOjKEQ/KijYUNrtCbrn+V qx+EHhQTQJ/H5QCk7D9WOv8sBHV/JBtCGVxM8pxJ7t/6dRVrTpz22hcYRRjULhzx YQj95fncYJ4Kjcd9vwWIdIUSBpdLk7L4nQqMUCuEhUGOzCSURZcprzqb2i2lLer6 en6JVE9BPKmWuCajl+VbrmVjsgGkcF7oTjFLbkBNP5vKYrpVWxZXa0gQ599FpvfF re5/4ILr49X6MJIDz/XX3zdaoVyXonQ+MtcjYHHmtdodu7tD5TVS7PuR7l2fjtT5 +r7JGNl/6kGJMj4c9Zx6Mjy2 -----END CERTIFICATE REQUEST-----'

Certificate Issuance

  • Upon verifying the client’s identity and the integrity of the CSR, Device Trust Manager processes the certificate request.

  • If the request is valid, the Device Trust Manager issues a certificate for the client.

  • If the client had requested server-side generated keys, the response would include the private key along with the issued certificate, securely transmitted back to the client over the encrypted session.

Device Trust Manager Response

  • Device Trust Manager responds with a signed X.509 certificate, which is delivered to the client via the EST protocol. If the client had requested server-side generated keys, the response would also include the private key.

  • The client can then store the certificate and use it for secure communications.

Re-enrollment endpoint

The re-enrollment process is a specialized endpoint within the EST protocol used specifically for renewing existing certificates.

EST re-enroll endpoint URL

  1. Navigate to Certificate Management > Certificate Management Policies.

  2. Click the name of the Certificate Management Policy you configured for EST.

  3. Navigate to the EST section of the Certificate Management Policy details page.

  4. Search for “Re-enroll” endpoint.

    Anmerkung

    If you are using a Device Group with the Certificate Management Policy, then the Device Group ID is added to the end of the URL.

Authentication

For re-enrollment, the client must present the certificate that is due for renewal as an authentication certificate in the request.

CSR submission

The client still submits a CSR during the re-enrollment process. However, all identity fields within the CSR (such as the Distinguished Name and Subject Alternative Names) are ignored. This is because the renewed certificate must maintain the same identity as the original certificate being renewed.

Certificate updates

The primary changes that occur during re-enrollment include the assignment of a new certificate serial number and the establishment of new validity dates (start and end) for the renewed certificate.

The following is a sample CURL re-enroll using certificate authentication. The certificate used for authentication must be the certificate you are renewing:

curl --key client.key --cert client.crt --location -X POST -v 'https://clientauth.one.digicert.com/.well-known/est/cps/IOT_33fd0b45-3188-45ed-9458-6cedc8ccf509/simplereenroll' \ --header 'Content-Type: text/plain' \ --data '-----BEGIN CERTIFICATE REQUEST----- MIICfjCCAWYCAQAwOTELMAkGA1UEBhMCVVMxCzAJBgNVBAoMAkRDMQwwCgYDVQQL DANJb1QxDzANBgNVBAMMBkNOLTAwMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAO3lmplQ9Q6PmYw1JMsr9NS5KKnqZAWuz7/En+R0J+b2hUXfuUUz4D2x CYqvNY6M4YSybi+khjZ2ON2ImFd61VvYMZ/46PENqNQ7o5taj9oJ8KiNrWtDIMt/ e0KNFly5HP8YYFJ2LOwj6ppS8xA+YFmYN0g6KU9UXOD0zpC2OAriVg8mSC2duUPl 4ZGl2MXkvYK46zTWGGuh/BMNWqPvUpOvB92xytPetEwUNoaFap2F7wf52ZR3g3I7 SuReBSSCH89h8ScKffQhYma7uksnQ4pxOfzKGyEexW7vpTX8lPNUzhlHsIlt7Cd1 mvutKahgBQSdP76okYbki1WZIWb4nTcCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IB AQCaOk5EFYcnQOt+sKLTV+CK67lcffqEd3u11pLgrikAOjKEQ/KijYUNrtCbrn+V qx+EHhQTQJ/H5QCk7D9WOv8sBHV/JBtCGVxM8pxJ7t/6dRVrTpz22hcYRRjULhzx YQj95fncYJ4Kjcd9vwWIdIUSBpdLk7L4nQqMUCuEhUGOzCSURZcprzqb2i2lLer6 en6JVE9BPKmWuCajl+VbrmVjsgGkcF7oTjFLbkBNP5vKYrpVWxZXa0gQ599FpvfF re5/4ILr49X6MJIDz/XX3zdaoVyXonQ+MtcjYHHmtdodu7tD5TVS7PuR7l2fjtT5 +r7JGNl/6kGJMj4c9Zx6Mjy2 -----END CERTIFICATE REQUEST-----'
In diesem Abschnitt: