Skip to main content

Configure and use EST

Enrollment over Secure Transport (EST) is a popular protocol for certificate issuance and renewal. EST (RFC 7030) is a certificate management protocol designed to securely issue and manage certificates for devices and applications over HTTPS. EST simplifies the process of enrolling devices for digital certificates, providing a robust mechanism for requesting, renewing, and retrieving certificates. This protocol ensures the confidentiality and integrity of the communication between the client and the certificate authority (CA) using TLS (Transport Layer Security).

DigiCert® Device Trust Manager supports the following EST endpoints:

  • /simpleenroll

  • /simplereenroll

  • /cacerts

  • /csrattrs

  • /serverkeygen

Both TrustCore SDK and TrustEdge include an EST client that works with Device Trust Manager.

Before you begin

Before configuring EST in Device Trust Manager, contact your DigiCert account representative to set up your account.

A DigiCert system administrator must configure a Root CA and an IntermediateCA in the DigiCert® Private CA. If you are missing these, contact your DigiCert account representative.

Ensure you've reviewed the following concepts:

Configure EST

Perform the following steps to configure EST:

  1. Sign in to DigiCert® ONE as a Solution Administrator.

  2. In DigiCert ONE, in the Manager menu (grid at top right), select Device Trust.

  3. In the Device Trust Manager menu, select Authentication management > Authentication policies.

  4. Select Create authentication policy.

  5. Create an Authentication Policy and add authentication credentials to the authentication policy.

    See 認証ポリシーの作成 and 認証ポリシーにクレデンシャルを追加する for a detailed procedure.

  6. In the Device Trust Manager menu, select Certificate management > Certificate management policies > Create certificate management policy.

  7. Create a certificate management policy.

    See 証明書管理ポリシーの作成 for a detailed procedure.

  8. Open the General settings of the certificate management policy wizard.

  9. Enter a Name for the certificate management policy.

  10. Choose a Division to assign the policy to.

  11. Select EST (Enrollment over Secure Transport) from the certificate management model.

  12. Select an Authentication policy if required.

  13. Click Next to proceed to the Certificate settings page.

  14. Select an End entity certificate profile that defines the certificate structure, including subject fields, extensions, and validity period.

  15. Select an Intermediate certificate profile from the available options. This intermediate CA will sign the certificates issued under this policy.

  16. Select an Issuing CA from the available options. This is the Certificate Authority that will sign the certificates issued under this policy.

  17. Set the Keypair generation preferences.

    You can set whether you want the private key to be generated on the device or on the server-side and passed on to the device in the response to the EST certificate request.

  18. Click Next to proceed to Usage Restrictions .

    • 許可された IP アドレス: 切り替えて、各 IP アドレス、IP アドレス範囲、またはワイルドカード IP アドレスを追加および入力し、証明書リクエストが許可される IP アドレスまたはアドレス範囲を指定します。単一の IP、範囲、またはワイルドカード IP を指定できます。

    • 稼働時間: [タイムゾーン]を選択し、証明書リクエストが許可される[時間]を定義して、稼働時間の設定に切り替えます。

    • 稼働日: 証明書管理ポリシーを使用できる開始日と終了日(有効期間開始日有効期間終了日)を設定します。

  19. Click Finish to complete the certificate management policy.

Device group settings

If you selected This certificate management policy will always be used with a device group during the setup of the Certificate Management Policy, then you must link the certificate management policy to a device group and map one of the certificate fields to the device’s identity.

  1. In the Device Trust Manager menu, select Device management > Device groups.

  2. Click the name of a device group to view the Device group details.

  3. Select the Certificate Management Policy tab.

  4. Click Assign certificate management policy.

  5. Select whether the certificate management policy is for issuing a bootstrap certificate or an operational certificate.

  6. Enter a name for the assignment of the certificate management policy to this device group.

Obtain the EST endpoint

以下の手順で EST エンドポイントを取得し、EST クライアントで使用します。

  1. [証明書管理]>[証明書管理ポリシー]で、EST 用に設定した証明書管理ポリシーの名前をクリックします。

  2. Navigate to the EST section of the Certificate Management Policy details page.

  3. 「申請」エンドポイントを検索します。

Note that if you are using a Device Group with the Certificate Management Policy, then the Device Group ID is added to the end of the URL.

Use EST

Now that you have the EST endpoint and authentication method (enrollment passcode or authentication certificate), you can use them to perform an EST enrollment.

Both TrustCore SDK and TrustEdge include an EST client that works with Device Trust Manager.

Alternatively, you can also use curl to test the EST enrollment process, as shown in the following sections.

EST Enrollment Request

The client sends an enrollment request (CSR or private key request) to Device Trust Manager’s EST service over a secure HTTPS connection. This request includes the authentication information (password or client certificate) and the CSR regardless of whether the client or Device Trust Manager is configured to generate the private key.

The following is a sample CURL enroll with passcode authentication:

curl --location -X POST 'https://one.digicert.com/.well-known/est/cps/IOT_33fd0b45-3188-45ed-9458-6cedc8ccf509/simpleenroll' \ --header 'Authorization: Basic d1R2UXRrVUdjVTgxQWhWbW9kR0U=' \ --header 'Content-Type: text/plain' \ --data '-----BEGIN CERTIFICATE REQUEST----- MIICfjCCAWYCAQAwOTELMAkGA1UEBhMCVVMxCzAJBgNVBAoMAkRDMQwwCgYDVQQL DANJb1QxDzANBgNVBAMMBkNOLTAwMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAO3lmplQ9Q6PmYw1JMsr9NS5KKnqZAWuz7/En+R0J+b2hUXfuUUz4D2x CYqvNY6M4YSybi+khjZ2ON2ImFd61VvYMZ/46PENqNQ7o5taj9oJ8KiNrWtDIMt/ e0KNFly5HP8YYFJ2LOwj6ppS8xA+YFmYN0g6KU9UXOD0zpC2OAriVg8mSC2duUPl 4ZGl2MXkvYK46zTWGGuh/BMNWqPvUpOvB92xytPetEwUNoaFap2F7wf52ZR3g3I7 SuReBSSCH89h8ScKffQhYma7uksnQ4pxOfzKGyEexW7vpTX8lPNUzhlHsIlt7Cd1 mvutKahgBQSdP76okYbki1WZIWb4nTcCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IB AQCaOk5EFYcnQOt+sKLTV+CK67lcffqEd3u11pLgrikAOjKEQ/KijYUNrtCbrn+V qx+EHhQTQJ/H5QCk7D9WOv8sBHV/JBtCGVxM8pxJ7t/6dRVrTpz22hcYRRjULhzx YQj95fncYJ4Kjcd9vwWIdIUSBpdLk7L4nQqMUCuEhUGOzCSURZcprzqb2i2lLer6 en6JVE9BPKmWuCajl+VbrmVjsgGkcF7oTjFLbkBNP5vKYrpVWxZXa0gQ599FpvfF re5/4ILr49X6MJIDz/XX3zdaoVyXonQ+MtcjYHHmtdodu7tD5TVS7PuR7

The following is a sample CURL enroll with certificate authentication:

curl --key client.key --cert client.crt --location -X POST -v 'https://clientauth.one.digicert.com/.well-known/est/cps/IOT_33fd0b45-3188-45ed-9458-6cedc8ccf509/simpleenroll ' \ --header 'Content-Type: text/plain' \ --data '-----BEGIN CERTIFICATE REQUEST----- MIICfjCCAWYCAQAwOTELMAkGA1UEBhMCVVMxCzAJBgNVBAoMAkRDMQwwCgYDVQQL DANJb1QxDzANBgNVBAMMBkNOLTAwMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAO3lmplQ9Q6PmYw1JMsr9NS5KKnqZAWuz7/En+R0J+b2hUXfuUUz4D2x CYqvNY6M4YSybi+khjZ2ON2ImFd61VvYMZ/46PENqNQ7o5taj9oJ8KiNrWtDIMt/ e0KNFly5HP8YYFJ2LOwj6ppS8xA+YFmYN0g6KU9UXOD0zpC2OAriVg8mSC2duUPl 4ZGl2MXkvYK46zTWGGuh/BMNWqPvUpOvB92xytPetEwUNoaFap2F7wf52ZR3g3I7 SuReBSSCH89h8ScKffQhYma7uksnQ4pxOfzKGyEexW7vpTX8lPNUzhlHsIlt7Cd1 mvutKahgBQSdP76okYbki1WZIWb4nTcCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IB AQCaOk5EFYcnQOt+sKLTV+CK67lcffqEd3u11pLgrikAOjKEQ/KijYUNrtCbrn+V qx+EHhQTQJ/H5QCk7D9WOv8sBHV/JBtCGVxM8pxJ7t/6dRVrTpz22hcYRRjULhzx YQj95fncYJ4Kjcd9vwWIdIUSBpdLk7L4nQqMUCuEhUGOzCSURZcprzqb2i2lLer6 en6JVE9BPKmWuCajl+VbrmVjsgGkcF7oTjFLbkBNP5vKYrpVWxZXa0gQ599FpvfF re5/4ILr49X6MJIDz/XX3zdaoVyXonQ+MtcjYHHmtdodu7tD5TVS7PuR7l2fjtT5 +r7JGNl/6kGJMj4c9Zx6Mjy2 -----END CERTIFICATE REQUEST-----'

Certificate Issuance

  • Upon verifying the client’s identity and the integrity of the CSR, Device Trust Manager processes the certificate request.

  • If the request is valid, the Device Trust Manager issues a certificate for the client.

  • If the client had requested server-side generated keys, the response would include the private key along with the issued certificate, securely transmitted back to the client over the encrypted session.

Device Trust Manager Response

  • Device Trust Manager responds with a signed X.509 certificate, which is delivered to the client via the EST protocol. If the client had requested server-side generated keys, the response would also include the private key.

  • The client can then store the certificate and use it for secure communications.

Re-enrollment endpoint

The re-enrollment process is a specialized endpoint within the EST protocol used specifically for renewing existing certificates.

EST re-enroll endpoint URL

  1. Navigate to Certificate Management > Certificate Management Policies.

  2. Click the name of the Certificate Management Policy you configured for EST.

  3. Navigate to the EST section of the Certificate Management Policy details page.

  4. Search for “Re-enroll” endpoint.

    注記

    If you are using a Device Group with the Certificate Management Policy, then the Device Group ID is added to the end of the URL.

Authentication

For re-enrollment, the client must present the certificate that is due for renewal as an authentication certificate in the request.

CSR submission

The client still submits a CSR during the re-enrollment process. However, all identity fields within the CSR (such as the Distinguished Name and Subject Alternative Names) are ignored. This is because the renewed certificate must maintain the same identity as the original certificate being renewed.

Certificate updates

The primary changes that occur during re-enrollment include the assignment of a new certificate serial number and the establishment of new validity dates (start and end) for the renewed certificate.

The following is a sample CURL re-enroll using certificate authentication. The certificate used for authentication must be the certificate you are renewing:

curl --key client.key --cert client.crt --location -X POST -v 'https://clientauth.one.digicert.com/.well-known/est/cps/IOT_33fd0b45-3188-45ed-9458-6cedc8ccf509/simplereenroll' \ --header 'Content-Type: text/plain' \ --data '-----BEGIN CERTIFICATE REQUEST----- MIICfjCCAWYCAQAwOTELMAkGA1UEBhMCVVMxCzAJBgNVBAoMAkRDMQwwCgYDVQQL DANJb1QxDzANBgNVBAMMBkNOLTAwMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAO3lmplQ9Q6PmYw1JMsr9NS5KKnqZAWuz7/En+R0J+b2hUXfuUUz4D2x CYqvNY6M4YSybi+khjZ2ON2ImFd61VvYMZ/46PENqNQ7o5taj9oJ8KiNrWtDIMt/ e0KNFly5HP8YYFJ2LOwj6ppS8xA+YFmYN0g6KU9UXOD0zpC2OAriVg8mSC2duUPl 4ZGl2MXkvYK46zTWGGuh/BMNWqPvUpOvB92xytPetEwUNoaFap2F7wf52ZR3g3I7 SuReBSSCH89h8ScKffQhYma7uksnQ4pxOfzKGyEexW7vpTX8lPNUzhlHsIlt7Cd1 mvutKahgBQSdP76okYbki1WZIWb4nTcCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IB AQCaOk5EFYcnQOt+sKLTV+CK67lcffqEd3u11pLgrikAOjKEQ/KijYUNrtCbrn+V qx+EHhQTQJ/H5QCk7D9WOv8sBHV/JBtCGVxM8pxJ7t/6dRVrTpz22hcYRRjULhzx YQj95fncYJ4Kjcd9vwWIdIUSBpdLk7L4nQqMUCuEhUGOzCSURZcprzqb2i2lLer6 en6JVE9BPKmWuCajl+VbrmVjsgGkcF7oTjFLbkBNP5vKYrpVWxZXa0gQ599FpvfF re5/4ILr49X6MJIDz/XX3zdaoVyXonQ+MtcjYHHmtdodu7tD5TVS7PuR7l2fjtT5 +r7JGNl/6kGJMj4c9Zx6Mjy2 -----END CERTIFICATE REQUEST-----'