Skip to main content

Configure and use EST

To perform this action, you must have a user role that contains the Solution administrator permission.

Enrollment over Secure Transport (EST) is a popular protocol for certificate issuance and renewal. EST (RFC 7030) is a certificate management protocol designed to securely issue and manage certificates for devices and applications over HTTPS. EST simplifies the process of enrolling devices for digital certificates, providing a robust mechanism for requesting, renewing, and retrieving certificates. This protocol ensures the confidentiality and integrity of the communication between the client and the certificate authority (CA) using TLS (Transport Layer Security).

DigiCert® Device Trust Manager supports the following EST endpoints:

  • /simpleenroll

  • /simplereenroll

  • /cacerts

  • /csrattrs

  • /serverkeygen

Both TrustCore SDK and TrustEdge include an EST client that works with Device Trust Manager.

Before you begin

Before configuring EST in Device Trust Manager, contact your DigiCert account representative to set up your account.

A DigiCert system administrator must configure a Root CA and an IntermediateCA in the DigiCert® Private CA. If you are missing these, contact your DigiCert account representative.

Ensure you've reviewed the following concepts:

Configure EST

Perform the following steps to configure EST:

  1. Create an Authentication Policy, then add authentication credentials to it. See 認証ポリシーの作成.

  2. In the Device Trust Manager menu, go to Certificate management > Certificate management policies.

  3. Select Create certificate management policy to open the General settings of the certificate management policy wizard.

  4. Enter a Name for the certificate management policy.

  5. Choose a Division to assign the policy to.

  6. Select the required Certificate management model.

  7. From the Certificate management methods, choose EST (Enrollment over Secure Transport).

  8. Select an Authentication policy if required for EST, SCEP, CMPv2, or ACME methods.

  9. Click Next to proceed to the Certificate settings page.

  10. Select an End entity certificate profile (defines the certificate structure, including subject fields, extensions, and validity period) or an intermediate certificate profile (signs the certificates issued under this policy).

  11. Select an Issuing CA from the available options. This is the Certificate Authority that will sign the certificates issued under this policy.

  12. Set the Keypair generation preferences.

    You can set whether you want the private key to be generated on the device or on the server-side and passed on to the device in the response to the EST certificate request.

  13. Click Next to proceed to Usage Restrictions .

    • 許可された IP アドレス: 切り替えて、各 IP アドレス、IP アドレス範囲、またはワイルドカード IP アドレスを追加および入力し、証明書リクエストが許可される IP アドレスまたはアドレス範囲を指定します。単一の IP、範囲、またはワイルドカード IP を指定できます。

    • 稼働時間: [タイムゾーン]を選択し、証明書リクエストが許可される[時間]を定義して、稼働時間の設定に切り替えます。

    • 稼働日: 証明書管理ポリシーを使用できる開始日と終了日(有効期間開始日有効期間終了日)を設定します。

  14. Click Finish to complete the certificate management policy.

Device group settings

If you selected This certificate management policy will always be used with a device group during the setup of the Certificate Management Policy, then you must link the certificate management policy to a device group and map one of the certificate fields to the device’s identity.

  1. In the Device Trust Manager menu, go to Device management > Device groups.

  2. Click the name of a device group to view the Device group details.

  3. Select the Certificate Management Policy tab.

  4. Click Assign certificate management policy.

  5. Select whether the certificate management policy is for issuing a bootstrap certificate or an operational certificate.

  6. Enter a name for the assignment of the certificate management policy to this device group.

Obtain the EST endpoint

以下の手順で EST エンドポイントを取得し、EST クライアントで使用します。

  1. In the Device Trust Manager menu, go to Certificate management > Certificate management policies.

  2. Select the EST certificate management policy you have created.

  3. On the Certificate management policy details page, navigate to the EST section.

  4. Under the EST section, copy the Enroll/reenroll endpoint URL.

Your EST endpoint URL will resemble the example below:

Enroll: https://clientauth.demo.one.digicert.com/.well-known/est/devicetrustmanager/IOT_b0c9be31-6160-4fc5-9041-84b71a4c02fe/device-group/{device-group-id}/simpleenroll

Reenroll: https://clientauth.demo.one.digicert.com/.well-known/est/devicetrustmanager/IOT_b0c9be31-6160-4fc5-9041-84b71a4c02fe/device-group/{device-group-id}/simplereenroll

注記

Note that if you are using a Device Group with the Certificate Management Policy, then the Device Group ID is added to the end of the URL.

デバイス管理

  • アドバンスプラン: アドバンスプランに申請されたデバイスでデバイスの完全な管理とセキュリティを可能にするには、Device Trust Manager に登録されている必要があります。登録されたデバイスは[デバイス管理]>[デバイス]にリストされ、一元的な管理制御が可能です。

  • エッセンシャルプラン: エッセンシャルプランのデバイスは、プラットフォームでの管理に登録されません。このプランでは、デバイスレコードを作成せずに証明書が発行されるため、これらのデバイスは[デバイス管理]>[デバイス]に表示されません。代わりに、このプランで発行された証明書は、[証明書管理]>[証明書]にあります。

Use EST

Now that you have the EST endpoint and authentication method (enrollment passcode or authentication certificate), you can use them to perform an EST enrollment.

Both TrustCore SDK and TrustEdge include an EST client that works with Device Trust Manager.

Alternatively, you can also use curl to test the EST enrollment process, as shown in the following sections.

EST Enrollment Request

The client sends an enrollment request (CSR or private key request) to Device Trust Manager’s EST service over a secure HTTPS connection. This request includes the authentication information (password or client certificate) and the CSR regardless of whether the client or Device Trust Manager is configured to generate the private key.

The following is a sample CURL enroll with passcode authentication:

curl --location https://clientauth.demo.one.digicert.com/.well-known/est/devicetrustmanager/IOT_b0c9be31-6160-4fc5-9041-84b71a4c02fe/device-group/33318f48-1177-4233-ad1f-f69ea541d703/simpleenroll \
--header 'Content-Type: application/octet-stream' \
--header 'Authorization: Basic dXNlcjpkeU1PNDdNYThDaWdwblNHR1N1Rg==' \
--data '-----BEGIN CERTIFICATE REQUEST-----
MIICXzCCAUcCAQAwGjEYMBYGA1UEAwwPanItZXN0LXJzYS10ZXN0MIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2TmEliVlt0SJFdyvDcgQwcelmkwM9gzH
tXnzu2wzTTrQxi+Dtns7nYuM/ea/BFLjKT1ImzEKvSkEpe66T1DyFZlQDjLil/6Z
hSYMDnR6wm39UC528aOv7dOObte7s1ENuwv8V6y9PInZBwmxbQytyO1PJxNzJzYC
SJmXthZUsrmTGAidYlv7wNJ3isZP/IL9fpWAlkIUmlTOUlDuRXm8uc1PpDCTH7/7
04rytyr9g0SaPS5N1r4E4SGuzaYNOlycjO5DSTY5UYgdfF07alUkaziQpVl2pEkK
DbvG9tkJcuI2yTlYPSiW+pUoLwq3fI95/+GRl3AfKi5CsuXEGf4ESQIDAQABoAAw
DQYJKoZIhvcNAQELBQADggEBALppJFYH1cm7pO99gn+wYTEufUniMJ+DAHP5ucAQ
RjqRjpIziK4dTKuLW0Km09xr4GMzdJXZTgaY54VyWvPnPN5BNsG5y9I//Ykf6+oc
8/oofe1xnmf7V1jJGOmx/zqdNS38LQyiXRbgFUry8fkiDSAvflFQMczfDhVYxSCP
N2nqoY7W5Wg72Ixc7GNyjebCjoZ99NS3NQm+OksUhqc/XJP14KbxKBjYVxdqY4r+
FuMHK2wHBnNkg+AbbiRcE37hVMaLSq9S1LHJd9gy3BkBws26CB3o9/bEMtEq4zrh
vWwIJ3q/+STjAf03AqZ01ibZPP5rX7a+gSBxO03mOnZ6YkI=
-----END CERTIFICATE REQUEST-----'

The following is a sample CURL enroll with certificate authentication:

curl --location https://clientauth.demo.one.digicert.com/.well-known/est/devicetrustmanager/IOT_b0c9be31-6160-4fc5-9041-84b71a4c02fe/device-group/33318f48-1177-4233-ad1f-f69ea541d703/simpleenroll \ --cert "primary.crt" \ --key "portal.key" \ --header "Content-Type: application/pkcs10" \ --data '-----BEGIN CERTIFICATE REQUEST----- MIICXzCCAUcCAQAwGjEYMBYGA1UEAwwPanItZXN0LXJzYS10ZXN0MIIBIjANBgkq hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2TmEliVlt0SJFdyvDcgQwcelmkwM9gzH tXnzu2wzTTrQxi+Dtns7nYuM/ea/BFLjKT1ImzEKvSkEpe66T1DyFZlQDjLil/6Z hSYMDnR6wm39UC528aOv7dOObte7s1ENuwv8V6y9PInZBwmxbQytyO1PJxNzJzYC SJmXthZUsrmTGAidYlv7wNJ3isZP/IL9fpWAlkIUmlTOUlDuRXm8uc1PpDCTH7/7 04rytyr9g0SaPS5N1r4E4SGuzaYNOlycjO5DSTY5UYgdfF07alUkaziQpVl2pEkK DbvG9tkJcuI2yTlYPSiW+pUoLwq3fI95/+GRl3AfKi5CsuXEGf4ESQIDAQABoAAw DQYJKoZIhvcNAQELBQADggEBALppJFYH1cm7pO99gn+wYTEufUniMJ+DAHP5ucAQ RjqRjpIziK4dTKuLW0Km09xr4GMzdJXZTgaY54VyWvPnPN5BNsG5y9I//Ykf6+oc 8/oofe1xnmf7V1jJGOmx/zqdNS38LQyiXRbgFUry8fkiDSAvflFQMczfDhVYxSCP N2nqoY7W5Wg72Ixc7GNyjebCjoZ99NS3NQm+OksUhqc/XJP14KbxKBjYVxdqY4r+ FuMHK2wHBnNkg+AbbiRcE37hVMaLSq9S1LHJd9gy3BkBws26CB3o9/bEMtEq4zrh vWwIJ3q/+STjAf03AqZ01ibZPP5rX7a+gSBxO03mOnZ6YkI= -----END CERTIFICATE REQUEST-----'

Certificate Issuance

  • Upon verifying the client’s identity and the integrity of the CSR, Device Trust Manager processes the certificate request.

  • If the request is valid, the Device Trust Manager issues a certificate for the client.

  • If the client had requested server-side generated keys, the response would include the private key along with the issued certificate, securely transmitted back to the client over the encrypted session.

Device Trust Manager Response

  • Device Trust Manager responds with a signed X.509 certificate, which is delivered to the client via the EST protocol. If the client had requested server-side generated keys, the response would also include the private key.

  • The client can then store the certificate and use it for secure communications.

Re-enrollment endpoint

The re-enrollment process is a specialized endpoint within the EST protocol used specifically for renewing existing certificates.

EST re-enroll endpoint URL

  1. Navigate to Certificate Management > Certificate Management Policies.

  2. Click the name of the Certificate Management Policy you configured for EST.

  3. Navigate to the EST section of the Certificate Management Policy details page.

  4. Search for “Re-enroll” endpoint.

Authentication

For re-enrollment, the client must present the certificate that is due for renewal as an authentication certificate in the request.

CSR submission

The client still submits a CSR during the re-enrollment process. However, all identity fields within the CSR (such as the Distinguished Name and Subject Alternative Names) are ignored. This is because the renewed certificate must maintain the same identity as the original certificate being renewed.

Certificate updates

The primary changes that occur during re-enrollment include the assignment of a new certificate serial number and the establishment of new validity dates (start and end) for the renewed certificate.

The following is a sample CURL re-enroll using certificate authentication. The certificate used for authentication must be the certificate you are renewing:

curl --location https://clientauth.demo.one.digicert.com/.well-known/est/devicetrustmanager/IOT_b0c9be31-6160-4fc5-9041-84b71a4c02fe/device-group/33318f48-1177-4233-ad1f-f69ea541d703/simpleenroll \ --cert "primary.crt" \ --key "portal.key" \ --header "Content-Type: application/pkcs10" \ --data '-----BEGIN CERTIFICATE REQUEST----- MIICXzCCAUcCAQAwGjEYMBYGA1UEAwwPanItZXN0LXJzYS10ZXN0MIIBIjANBgkq hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2TmEliVlt0SJFdyvDcgQwcelmkwM9gzH tXnzu2wzTTrQxi+Dtns7nYuM/ea/BFLjKT1ImzEKvSkEpe66T1DyFZlQDjLil/6Z hSYMDnR6wm39UC528aOv7dOObte7s1ENuwv8V6y9PInZBwmxbQytyO1PJxNzJzYC SJmXthZUsrmTGAidYlv7wNJ3isZP/IL9fpWAlkIUmlTOUlDuRXm8uc1PpDCTH7/7 04rytyr9g0SaPS5N1r4E4SGuzaYNOlycjO5DSTY5UYgdfF07alUkaziQpVl2pEkK DbvG9tkJcuI2yTlYPSiW+pUoLwq3fI95/+GRl3AfKi5CsuXEGf4ESQIDAQABoAAw DQYJKoZIhvcNAQELBQADggEBALppJFYH1cm7pO99gn+wYTEufUniMJ+DAHP5ucAQ RjqRjpIziK4dTKuLW0Km09xr4GMzdJXZTgaY54VyWvPnPN5BNsG5y9I//Ykf6+oc 8/oofe1xnmf7V1jJGOmx/zqdNS38LQyiXRbgFUry8fkiDSAvflFQMczfDhVYxSCP N2nqoY7W5Wg72Ixc7GNyjebCjoZ99NS3NQm+OksUhqc/XJP14KbxKBjYVxdqY4r+ FuMHK2wHBnNkg+AbbiRcE37hVMaLSq9S1LHJd9gy3BkBws26CB3o9/bEMtEq4zrh vWwIJ3q/+STjAf03AqZ01ibZPP5rX7a+gSBxO03mOnZ6YkI= -----END CERTIFICATE REQUEST-----'