Skip to main content

Persona workflow

trustedge certificate est

Usage: est [Options]

TrustEdge Certificate EST Mode

Generic Options:1
  -h, --help            Display this help menu
  --log-level           Verbosity level of the message logs
                        Possible values are [NONE | ERROR | WARNING | DEBUG | INFO | VERBOSE]
                        (Default is applied through the trustedge configuration)
  -k, --key-store-path  Path to the keystore used for both input and output files
                        (Default is applied through the trustedge configuration or is ".")

Key Generation Options:2
  -a, --algorithm       Crytpo algorithm type
                        Possible values are [ECC | RSA]
  -t, --tap                [Optional] Generate a hardware-based TPM2 TAP key
                           If omitted, software-based key is generated
  -tpr, --tap-provider     [Optional] Tap provider
                           Possible values are [PKCS11 | TPM2]. (Default is TPM2)
  -tm, --tap-modnum        [Optional] TAP module to use. (Default is 1)
  -tku, --tap-key-usage    [Optional] TAP key usage
                           Possible values are
                           TAP_KEY_USAGE_GENERAL
                           TAP_KEY_USAGE_SIGNING
                           TAP_KEY_USAGE_DECRYPT
                           (Default is TAP_KEY_USAGE_GENERAL)
                           TAP_KEY_USAGE_ATTESTATION
  -tss, --tap-sig-scheme   [Optional] Tap key signing scheme
                           Possible values are
                           TAP_SIG_SCHEME_NONE
                           TAP_SIG_SCHEME_PKCS1_5
                           TAP_SIG_SCHEME_PKCS1_5_SHA1
                           TAP_SIG_SCHEME_PKCS1_5_SHA256
                           TAP_SIG_SCHEME_PKCS1_5_DER
                           TAP_SIG_SCHEME_PSS_SHA1
                           TAP_SIG_SCHEME_PSS_SHA256
                           TAP_SIG_SCHEME_ECDSA_SHA1
                           TAP_SIG_SCHEME_ECDSA_SHA224
                           TAP_SIG_SCHEME_ECDSA_SHA256
                           TAP_SIG_SCHEME_ECDSA_SHA384
                           TAP_SIG_SCHEME_ECDSA_SHA512
                           (Default is TAP_SIG_SCHEME_NONE)
  -tes, --tap-enc-scheme   [Optional] Tap key encryption scheme
                           Possible values are
                           TAP_ENC_SCHEME_NONE
                           TAP_ENC_SCHEME_PKCS1_5
                           TAP_ENC_SCHEME_OAEP_SHA1
                           TAP_ENC_SCHEME_OAEP_SHA256
                           (Default is TAP_ENC_SCHEME_NONE)
  -c, --curve           [Required for ECC] Elliptic curve type
                        Possible values are [P224 | P256 | P384 | P521 | CURVE25519 | CURVE448]
  -s, --size            [Required for RSA] Key size
                        Possible values are in the range [2048 - 8192] and must be a multiple of 128)

Certificate Generation Options:3
  -i, --csr-conf        [Required] CSR configuration file name
                        File must be in "conf" folder under the keystore directory.

EST Options:
  -host, --estc-server-dn                [Required] The EST server's distinguished name
  -url, --estc-server-url                [Required] The EST operation URL path. Possible values are
                                             /.well-known/est/groupid/policyid/cacerts
                                             /.well-known/est/groupid/policyid/simpleenroll
                                             /.well-known/est/groupid/policyid/simplereenroll
                                             /.well-known/est/groupid/policyid/serverkeygen
                                             /.well-known/est/groupid/policyid/fullcmc
                                             /.well-known/est/groupid/policyid/csrattrs
  -user, --estc-user                     [Optional] The HTTP authentication username
  -pass, --estc-pass                     [Required] The HTTP authentication password
  -ip, --estc-server-ip                  [Optional] The EST server's IP address
                                         If provided, dns resolution of server's FQDN will be skipped
  -port, --estc-server-port              [Optional] The EST server's listening port
  -noverify, --estc-disable-ca-cert      [Optional] Flag to disable validating the issued certificate against the certificate store
  -extattr, --estc-ext-attrs-conf        [Optional] Config file containing Extended CSR attributes
                                         File must be in "conf" folder under the keystore directory.
  -hash, --estc-digest-algo              [Optional] Digest algorithm to use
                                         Possible values are  [SHA1 | SHA224 | SHA256 | SHA384 | SHA512]
  -mtls, --estc-tls-cert                 [Optional] Alias of mutual authentication key and certificate
                                         Key must be in "keys" folder and certificate must be in "certs" folder
  -caprefix, --estc-cacerts-alias        [Optional] Alias of EST CA certificates
                                         This alias will be prepended to the truncated sha1 fingerprint of the downloaded certificates
  -rkalias, --estc-rekey-alias           [Optional] Alias of rekey in the cert store (used with FullCMC rekey or simplereenroll operation)
                                         In case of FullCMC, file must be in "keys" folder under the keystore directory.
  -rktype, --estc-rekey-type             [Optional] Rekey type (used with FullCMC re-key operation). Possible values are [RSA | ECDSA]
  -rksize, --estc-rekey-size             [Optional] Rekey size (used with FullCMC re-key operation)
  -renewdays, --estc-renew-window        [Optional] Number of days to check against the certificate when performing a renew, rekey
                                         or simplereenroll operation. If the certificate is expired or if the certificate
                                         will expire within the number of days specified then the renew, rekey, or
                                         simplereenroll is performed. Maximum window is 0 days
  -psk, --estc-psk-alias                 [Optional] Pre-shared key to load in cert store
                                         File must be in "psks" folder under the keystore directory with no whitespaces in the name
  -skgcrt, --estc-skg-client-cert        [Optional] Client certificate to load in cert store (used with ServerKeyGen operation)
                                         File must be in "certs" folder under the keystore directory
  -skgkey, --estc-skg-client-key         [Optional] Client key to load in cert store (used with ServerKeyGen operation)
                                         File must be in /keys folder under the keystore directory
  -skgalg, --estc-skg-algorithm          [Optional] Encryption algorithm used for ServerKeyGen operation
                                         Possible values are [aes192 | 3des]
  -cmcreq, --estc-full-cmc-req-type      [Optional] FullCMC operation type. Possible values are [enroll | renew | rekey]
  -inlinecrt, --estc-renew-inline-cert   [Optional] Whether to add old certificate in renew CSR
                                          1 - Add old certificate in CSR
                                          0 - Don't add old certificate in CSR


Output Options:4
  -ka, --key-alias      [Optional] Alias for keys, certs and files placed in the keystore. (Default is GenKey)
                        In case of FullCMC and simplereenroll, key alias to be used for CSR signing
                        Key must be in "keys" folder and certificate must be in "certs" folder
  -p12, --pkcs12          [Optional] Output a PKCS12 file with the issued key and certificate
                             0 - Do not output a PKCS12 file (Default)
                             1 - Generate PKCS12 file
  -p12e, --pkcs12-encryption-type [Optional] Encryption type for PKCS12 file
                                  Possible values are
                                  sha_3des
                                  sha_rc4_40
                                  sha_rc4_128
                                  (Default is sha_3des)
  -p12i, --pkcs12-integrity-pw    [Optional] Provide integrity password for PKCS12 file. Only used when -p12/--pkcs12
                                  is provided (must be at least 4 characters). It will generate a PKCS12 file with a mac
  -p12p, --pkcs12-privacy-pw      [Optional] Provide privacy password for PKCS12 file. Only used when -p12/--pkcs12
                                  is provided (must be at least 4 characters). It will protect any data output to the pkcs12 file
  -p12k, --pkcs12-key-pw          [Optional] Provide private key password for keys stored in the PKCS12 file. Only used when
                                  -p12/--pkcs12 is provided (must be at least 4 characters). It will protect the private key
                                  stored in the PKCS12 file.
  -p, --protect         [Optional] Provide PKCS8 password to protect the new TAP or software key
  -p8a, --pkcs8-enc-alg PKCS8 encryption algorithm. Only used when -p/--protect is provided
                        Possible values are
                        p5_v1_sha1_des
                        p5_v1_md5_des
                        p5_v2_3des
                        p5_v2_des
                        p5_v2_aes128
                        p5_v2_aes192
                        p5_v2_aes256
                        (Default is p5_v2_aes256)

1

General options

2

Key generation options

3

Certificate generation options

4

Certificate generation options

© 2025 DigiCert, Inc.
publicatie datum: