Skip to main content

Configure and use EST

To perform this action, you must have a user role that contains the Solution administrator permission.

Enrollment over Secure Transport (EST) is a popular protocol for certificate issuance and renewal. EST (RFC 7030) is a certificate management protocol designed to securely issue and manage certificates for devices and applications over HTTPS. EST simplifies the process of enrolling devices for digital certificates, providing a robust mechanism for requesting, renewing, and retrieving certificates. This protocol ensures the confidentiality and integrity of the communication between the client and the certificate authority (CA) using TLS (Transport Layer Security).

DigiCert® Device Trust Manager supports the following EST endpoints:

  • /simpleenroll

  • /simplereenroll

  • /cacerts

  • /csrattrs

  • /serverkeygen

Both TrustCore SDK and TrustEdge include an EST client that works with Device Trust Manager.

Before you begin

Before configuring EST in Device Trust Manager, contact your DigiCert account representative to set up your account.

A DigiCert system administrator must configure a Root CA and an IntermediateCA in the DigiCert® Private CA. If you are missing these, contact your DigiCert account representative.

Ensure you've reviewed the following concepts:

Configure EST

Perform the following steps to configure EST:

  1. Create an Authentication Policy, then add authentication credentials to it. See Create an authentication policy.

  2. In the Device Trust Manager menu, go to Certificate management > Certificate management policies.

  3. Select Create certificate management policy to open the General settings of the certificate management policy wizard.

  4. Enter a Name for the certificate management policy.

  5. Choose a Division to assign the policy to.

  6. Select the required Certificate management model.

  7. From the Certificate management methods, choose EST (Enrollment over Secure Transport).

  8. Select an Authentication policy if required for EST, SCEP, CMPv2, or ACME methods.

  9. Click Next to proceed to the Certificate settings page.

  10. Select an End entity certificate profile (defines the certificate structure, including subject fields, extensions, and validity period) or an intermediate certificate profile (signs the certificates issued under this policy).

  11. Select an Issuing CA from the available options. This is the Certificate Authority that will sign the certificates issued under this policy.

  12. Set the Keypair generation preferences.

    You can set whether you want the private key to be generated on the device or on the server-side and passed on to the device in the response to the EST certificate request.

  13. Click Next to proceed to Usage Restrictions .

    • Allowed IP addresses: Toggle to add and enter each IP address, IP address range, or wildcard IP addresses. Specify the IP addresses or ranges that are permitted to request certificates. This can include single IPs, ranges, or wildcard IPs.

    • Operational hours: Toggle to set the operational hours by choosing a Time zone and defining the Hours during which certificate requests are allowed.

    • Operational dates: Toggle to set a start date (Valid from) and an end date (Valid to) for when the certificate management policy can be used.

  14. Click Finish to complete the certificate management policy.

Device group settings

If you selected This certificate management policy will always be used with a device group during the setup of the Certificate Management Policy, then you must link the certificate management policy to a device group and map one of the certificate fields to the device’s identity.

  1. In the Device Trust Manager menu, go to Device management > Device groups.

  2. Click the name of a device group to view the Device group details.

  3. Select the Certificate Management Policy tab.

  4. Click Assign certificate management policy.

  5. Select whether the certificate management policy is for issuing a bootstrap certificate or an operational certificate.

  6. Enter a name for the assignment of the certificate management policy to this device group.

Obtain the EST endpoint

Perform the following steps to obtain the EST endpoint to use it with an EST client.

  1. In the Device Trust Manager menu, go to Certificate management > Certificate management policies.

  2. Select the EST certificate management policy you have created.

  3. On the Certificate management policy details page, navigate to the EST section.

  4. Under the EST section, copy the Enroll/reenroll endpoint URL.

Your EST endpoint URL will resemble the example below:

Enroll: https://clientauth.demo.one.digicert.com/.well-known/est/devicetrustmanager/IOT_b0c9be31-6160-4fc5-9041-84b71a4c02fe/device-group/{device-group-id}/simpleenroll

Reenroll: https://clientauth.demo.one.digicert.com/.well-known/est/devicetrustmanager/IOT_b0c9be31-6160-4fc5-9041-84b71a4c02fe/device-group/{device-group-id}/simplereenroll

Anmerkung

Note that if you are using a Device Group with the Certificate Management Policy, then the Device Group ID is added to the end of the URL.

Device management

  • Advanced plan: Devices enrolled in the Advanced plan must be registered in Device Trust Manager to enable full device management and security. Registered devices are listed under Device management > Devices, allowing centralized management and control.

  • Essentials plan: Devices in the Essentials plan are not registered for management within the platform. This plan issues certificates without creating device records, so these devices will not appear under Device management > Devices. Instead, certificates issued under this plan can be found under Certificate management > Certificates.

Use EST

Now that you have the EST endpoint and authentication method (enrollment passcode or authentication certificate), you can use them to perform an EST enrollment.

Both TrustCore SDK and TrustEdge include an EST client that works with Device Trust Manager.

Alternatively, you can also use curl to test the EST enrollment process, as shown in the following sections.

EST Enrollment Request

The client sends an enrollment request (CSR or private key request) to Device Trust Manager’s EST service over a secure HTTPS connection. This request includes the authentication information (password or client certificate) and the CSR regardless of whether the client or Device Trust Manager is configured to generate the private key.

The following is a sample CURL enroll with passcode authentication:

curl --location https://clientauth.demo.one.digicert.com/.well-known/est/devicetrustmanager/IOT_b0c9be31-6160-4fc5-9041-84b71a4c02fe/device-group/33318f48-1177-4233-ad1f-f69ea541d703/simpleenroll \
--header 'Content-Type: application/octet-stream' \
--header 'Authorization: Basic dXNlcjpkeU1PNDdNYThDaWdwblNHR1N1Rg==' \
--data '-----BEGIN CERTIFICATE REQUEST-----
MIICXzCCAUcCAQAwGjEYMBYGA1UEAwwPanItZXN0LXJzYS10ZXN0MIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2TmEliVlt0SJFdyvDcgQwcelmkwM9gzH
tXnzu2wzTTrQxi+Dtns7nYuM/ea/BFLjKT1ImzEKvSkEpe66T1DyFZlQDjLil/6Z
hSYMDnR6wm39UC528aOv7dOObte7s1ENuwv8V6y9PInZBwmxbQytyO1PJxNzJzYC
SJmXthZUsrmTGAidYlv7wNJ3isZP/IL9fpWAlkIUmlTOUlDuRXm8uc1PpDCTH7/7
04rytyr9g0SaPS5N1r4E4SGuzaYNOlycjO5DSTY5UYgdfF07alUkaziQpVl2pEkK
DbvG9tkJcuI2yTlYPSiW+pUoLwq3fI95/+GRl3AfKi5CsuXEGf4ESQIDAQABoAAw
DQYJKoZIhvcNAQELBQADggEBALppJFYH1cm7pO99gn+wYTEufUniMJ+DAHP5ucAQ
RjqRjpIziK4dTKuLW0Km09xr4GMzdJXZTgaY54VyWvPnPN5BNsG5y9I//Ykf6+oc
8/oofe1xnmf7V1jJGOmx/zqdNS38LQyiXRbgFUry8fkiDSAvflFQMczfDhVYxSCP
N2nqoY7W5Wg72Ixc7GNyjebCjoZ99NS3NQm+OksUhqc/XJP14KbxKBjYVxdqY4r+
FuMHK2wHBnNkg+AbbiRcE37hVMaLSq9S1LHJd9gy3BkBws26CB3o9/bEMtEq4zrh
vWwIJ3q/+STjAf03AqZ01ibZPP5rX7a+gSBxO03mOnZ6YkI=
-----END CERTIFICATE REQUEST-----'

The following is a sample CURL enroll with certificate authentication:

curl --location https://clientauth.demo.one.digicert.com/.well-known/est/devicetrustmanager/IOT_b0c9be31-6160-4fc5-9041-84b71a4c02fe/device-group/33318f48-1177-4233-ad1f-f69ea541d703/simpleenroll \ --cert "primary.crt" \ --key "portal.key" \ --header "Content-Type: application/pkcs10" \ --data '-----BEGIN CERTIFICATE REQUEST----- MIICXzCCAUcCAQAwGjEYMBYGA1UEAwwPanItZXN0LXJzYS10ZXN0MIIBIjANBgkq hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2TmEliVlt0SJFdyvDcgQwcelmkwM9gzH tXnzu2wzTTrQxi+Dtns7nYuM/ea/BFLjKT1ImzEKvSkEpe66T1DyFZlQDjLil/6Z hSYMDnR6wm39UC528aOv7dOObte7s1ENuwv8V6y9PInZBwmxbQytyO1PJxNzJzYC SJmXthZUsrmTGAidYlv7wNJ3isZP/IL9fpWAlkIUmlTOUlDuRXm8uc1PpDCTH7/7 04rytyr9g0SaPS5N1r4E4SGuzaYNOlycjO5DSTY5UYgdfF07alUkaziQpVl2pEkK DbvG9tkJcuI2yTlYPSiW+pUoLwq3fI95/+GRl3AfKi5CsuXEGf4ESQIDAQABoAAw DQYJKoZIhvcNAQELBQADggEBALppJFYH1cm7pO99gn+wYTEufUniMJ+DAHP5ucAQ RjqRjpIziK4dTKuLW0Km09xr4GMzdJXZTgaY54VyWvPnPN5BNsG5y9I//Ykf6+oc 8/oofe1xnmf7V1jJGOmx/zqdNS38LQyiXRbgFUry8fkiDSAvflFQMczfDhVYxSCP N2nqoY7W5Wg72Ixc7GNyjebCjoZ99NS3NQm+OksUhqc/XJP14KbxKBjYVxdqY4r+ FuMHK2wHBnNkg+AbbiRcE37hVMaLSq9S1LHJd9gy3BkBws26CB3o9/bEMtEq4zrh vWwIJ3q/+STjAf03AqZ01ibZPP5rX7a+gSBxO03mOnZ6YkI= -----END CERTIFICATE REQUEST-----'

Certificate Issuance

  • Upon verifying the client’s identity and the integrity of the CSR, Device Trust Manager processes the certificate request.

  • If the request is valid, the Device Trust Manager issues a certificate for the client.

  • If the client had requested server-side generated keys, the response would include the private key along with the issued certificate, securely transmitted back to the client over the encrypted session.

Device Trust Manager Response

  • Device Trust Manager responds with a signed X.509 certificate, which is delivered to the client via the EST protocol. If the client had requested server-side generated keys, the response would also include the private key.

  • The client can then store the certificate and use it for secure communications.

Re-enrollment endpoint

The re-enrollment process is a specialized endpoint within the EST protocol used specifically for renewing existing certificates.

EST re-enroll endpoint URL

  1. Navigate to Certificate Management > Certificate Management Policies.

  2. Click the name of the Certificate Management Policy you configured for EST.

  3. Navigate to the EST section of the Certificate Management Policy details page.

  4. Search for “Re-enroll” endpoint.

Authentication

For re-enrollment, the client must present the certificate that is due for renewal as an authentication certificate in the request.

CSR submission

The client still submits a CSR during the re-enrollment process. However, all identity fields within the CSR (such as the Distinguished Name and Subject Alternative Names) are ignored. This is because the renewed certificate must maintain the same identity as the original certificate being renewed.

Certificate updates

The primary changes that occur during re-enrollment include the assignment of a new certificate serial number and the establishment of new validity dates (start and end) for the renewed certificate.

The following is a sample CURL re-enroll using certificate authentication. The certificate used for authentication must be the certificate you are renewing:

curl --location https://clientauth.demo.one.digicert.com/.well-known/est/devicetrustmanager/IOT_b0c9be31-6160-4fc5-9041-84b71a4c02fe/device-group/33318f48-1177-4233-ad1f-f69ea541d703/simpleenroll \ --cert "primary.crt" \ --key "portal.key" \ --header "Content-Type: application/pkcs10" \ --data '-----BEGIN CERTIFICATE REQUEST----- MIICXzCCAUcCAQAwGjEYMBYGA1UEAwwPanItZXN0LXJzYS10ZXN0MIIBIjANBgkq hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2TmEliVlt0SJFdyvDcgQwcelmkwM9gzH tXnzu2wzTTrQxi+Dtns7nYuM/ea/BFLjKT1ImzEKvSkEpe66T1DyFZlQDjLil/6Z hSYMDnR6wm39UC528aOv7dOObte7s1ENuwv8V6y9PInZBwmxbQytyO1PJxNzJzYC SJmXthZUsrmTGAidYlv7wNJ3isZP/IL9fpWAlkIUmlTOUlDuRXm8uc1PpDCTH7/7 04rytyr9g0SaPS5N1r4E4SGuzaYNOlycjO5DSTY5UYgdfF07alUkaziQpVl2pEkK DbvG9tkJcuI2yTlYPSiW+pUoLwq3fI95/+GRl3AfKi5CsuXEGf4ESQIDAQABoAAw DQYJKoZIhvcNAQELBQADggEBALppJFYH1cm7pO99gn+wYTEufUniMJ+DAHP5ucAQ RjqRjpIziK4dTKuLW0Km09xr4GMzdJXZTgaY54VyWvPnPN5BNsG5y9I//Ykf6+oc 8/oofe1xnmf7V1jJGOmx/zqdNS38LQyiXRbgFUry8fkiDSAvflFQMczfDhVYxSCP N2nqoY7W5Wg72Ixc7GNyjebCjoZ99NS3NQm+OksUhqc/XJP14KbxKBjYVxdqY4r+ FuMHK2wHBnNkg+AbbiRcE37hVMaLSq9S1LHJd9gy3BkBws26CB3o9/bEMtEq4zrh vWwIJ3q/+STjAf03AqZ01ibZPP5rX7a+gSBxO03mOnZ6YkI= -----END CERTIFICATE REQUEST-----'