Skip to main content

EST

DigiCert® Private CA supports enrollment and renewal of end entity certificates using the Enrollment over Secure Transport (EST) protocol.

Important

Make sure you have an end entity certificate template in DigiCert Private CA that fits your certificate requirements before you start creating a profile.

To create an EST profile in DigiCert Private CA:

  1. In the main menu, select Profiles.

  2. Select EST under Protocols.

  3. Enter a Profile name.

  4. [Optional] Add a Description for your profile.

  5. Select the Protocol version you prefer, from the available options.

  6. In Issuer ID, select the private intermediate certificate authority that you use for your certificate requests.

  7. Select a Certificate template ID. You can only use one template in a profile. Create multiple profiles for different templates or certificate settings.

  8. Select the Certificate validity details, like how many days, months, or years the issued certificates are valid for.

  9. Enter a value in days for your preferred Renewal window. Your private CA rejects any renewal requests outside this window.

  10. Select your Authentication method. You also need to set up this method in your certificate requesting client or registration authority.

  11. Select the Signature algorithm supported by the profile.

  12. Select Submit.

Your EST profile is saved.

Select Profiles in the main menu to see your saved profiles.

EST URL

To copy the URL, select a profile and go to the Profile details page.

Each EST profile you create in DigiCert® Private CA generates three protocol endpoints, each used for a specific EST operation defined in RFC 7030.

These URLs allow clients to enroll for new certificates, renew existing ones, or retrieve the issuing CA certificates.

You must configure these URLs in your EST clients to request certificates from your private CA.

The EST URLs in DigiCert® Private CA are structured as follows:

https://<your-ca-domain>/.well-known/est/CA_<ProfileID>/cacerts

https://<your-ca-domain>/.well-known/est/CA_<ProfileID>/simpleenroll

https://<your-ca-domain>/.well-known/est/CA_<ProfileID>/simplereenroll

Where:

  • https://<your-ca-domain> is the base domain of your DigiCert Private CA instance.

  • /.well-known/est/ is the standard EST path segment defined by RFC 7030. It identifies the request as an EST transaction over HTTPS.

  • <CA_profile ID> is the unique identifier for the EST issuance profile. The CA_ prefix distinguishes DigiCert® Private CA EST routes from other DigiCert services (such as Trust Lifecycle Manager). The <ProfileID> maps directly to the profile you created.

  • /cacerts is the endpoint used by EST clients to download the CA certificate chain. It helps the client establish trust before enrollment.

  • /simpleenroll is the endpoint used for initial certificate enrollment requests (new certificates).

  • /simplereenroll is the endpoint used for re-enrollment or renewal requests. Clients authenticate using their existing certificate.

In this section: