Skip to main content

Working with EST

Enrollment over Security Transport (EST) is a popular protocol for certificate issuance and renewal. EST (RFC 7030) is a certificate management protocol designed to securely issue and manage certificates for devices and applications over HTTPS. EST simplifies the process of enrolling devices for digital certificates, providing a robust mechanism for requesting, renewing, and retrieving certificates. This protocol ensures the confidentiality and integrity of the communication between the client and the certificate authority (CA) using TLS (Transport Layer Security).

Device Trust Manager supports the following EST endpoints:

  • /simpleenroll

  • /simplereenroll

  • /cacerts

  • /csrattrs

  • /serverkeygen

Both TrustCore SDK and TrustEdge include an EST client that works with Device Trust Manager.

Before you begin

Configure EST

Perform the following steps to configure EST:

  1. Create an Authentication Policy and add authentication credentials to the authentication policy. See Create an authentication policy and Add credentials to an authentication policy for a detailed procedure.

  2. Create a certificate management policy. See Create a certificate management policy for a detailed procedure.

  3. Select the Authentication Policy you created earlier from the dropdown field. This Authentication Policy will be used to verify the credentials used by the EST client when it communicates with Device Trust Manager’s EST service.

  4. Choose EST from the Certificate management methods.

  5. Click Next to navigate to the Certificate settings page

  6. Select a certificate profile from the dropdown list.

    A certificate profile is the configuration of essential settings for certificate issuance based on a certificate template. The certificate profile is a set default values for subject distinguished names, how these values are provided, and the certificate validity period. Additionally, certificate extension behaviour is also set.

  7. Select an issuing CA from the dropdown field.

    This will be the issuing CA that signs the certificates issued using this certificate management policy.

  8. Select a Keypair generation

    You can set whether you want the private key to be generated on the device or generated on the server side and passed to the device in response to the EST certificate request.

  9. Click Next to proceed to the Usage Restrictions .

    • Allowed IP addresses: Toggle to add and enter each IP address, IP address range, or wildcard IP addresses specify the IP addresses or ranges that are permitted to request certificates. This can include single IPs, ranges, or wildcard IPs.

    • Operational hours: Toggle to set the operational hours by choosing a Time zone and defining the Hours during which certificate requests are allowed.

    • Operational dates: Toggle to set a start date (Valid from) and an end date (Valid to) for when the certificate management policy can be used.

  10. Click Finish to complete the certificate management policy.

Set up a Device Group

If you selected This certificate management policy will always be used with a device group during the setup of the Certificate Management Policy, then you must link the Certificate Management Policy to a device group and map one of the certificate fields to the device’s identity.

  1. Select Device management > Device groups.

  2. Click the name of a device group to view the Device group details.

  3. Select the Certificate Management Policy tab.

  4. Click Assign certificate management policy.

  5. Select whether the certificate management policy is for issuing a bootstrap certificate or an operational certificate.

  6. Enter a name for the assignment of the certificate management policy to this device group.

Obtain the EST endpoint

Perform the following steps to obtain the EST endpoint to use it with an EST client.

  1. In the Certificate Management > Certificate Management Policies, click on the name of the Certificate Management Policy you configured for EST.

  2. Navigate to the EST section of the Certificate Management Policy details page.

  3. Search for “Enroll” endpoint.

Note that if you are using a Device Group with the Certificate Management Policy, then the Device Group ID is added to the end of the URL.

Use EST

Now that you have the EST endpoint and authentication method (enrollment passcode or authentication certificate), you can use them to perform an EST enrollment.

Both TrustCore SDK and TrustEdge include an EST client that works with Device Trust Manager.

Alternatively, you can also use curl to test the EST enrollment process, as shown in the following sections.

EST Enrollment Request

The client sends an enrollment request (CSR or private key request) to Device Trust Manager’s EST service over a secure HTTPS connection. This request includes the authentication information (password or client certificate) and the CSR regardless of whether the client or Device Trust Manager is configured to generate the private key.

The following is a sample CURL enroll with passcode authentication:

curl --location -X POST 'https://one.digicert.com/.well-known/est/cps/IOT_33fd0b45-3188-45ed-9458-6cedc8ccf509/simpleenroll' \ --header 'Authorization: Basic d1R2UXRrVUdjVTgxQWhWbW9kR0U=' \ --header 'Content-Type: text/plain' \ --data '-----BEGIN CERTIFICATE REQUEST----- MIICfjCCAWYCAQAwOTELMAkGA1UEBhMCVVMxCzAJBgNVBAoMAkRDMQwwCgYDVQQL DANJb1QxDzANBgNVBAMMBkNOLTAwMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAO3lmplQ9Q6PmYw1JMsr9NS5KKnqZAWuz7/En+R0J+b2hUXfuUUz4D2x CYqvNY6M4YSybi+khjZ2ON2ImFd61VvYMZ/46PENqNQ7o5taj9oJ8KiNrWtDIMt/ e0KNFly5HP8YYFJ2LOwj6ppS8xA+YFmYN0g6KU9UXOD0zpC2OAriVg8mSC2duUPl 4ZGl2MXkvYK46zTWGGuh/BMNWqPvUpOvB92xytPetEwUNoaFap2F7wf52ZR3g3I7 SuReBSSCH89h8ScKffQhYma7uksnQ4pxOfzKGyEexW7vpTX8lPNUzhlHsIlt7Cd1 mvutKahgBQSdP76okYbki1WZIWb4nTcCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IB AQCaOk5EFYcnQOt+sKLTV+CK67lcffqEd3u11pLgrikAOjKEQ/KijYUNrtCbrn+V qx+EHhQTQJ/H5QCk7D9WOv8sBHV/JBtCGVxM8pxJ7t/6dRVrTpz22hcYRRjULhzx YQj95fncYJ4Kjcd9vwWIdIUSBpdLk7L4nQqMUCuEhUGOzCSURZcprzqb2i2lLer6 en6JVE9BPKmWuCajl+VbrmVjsgGkcF7oTjFLbkBNP5vKYrpVWxZXa0gQ599FpvfF re5/4ILr49X6MJIDz/XX3zdaoVyXonQ+MtcjYHHmtdodu7tD5TVS7PuR7

The following is a sample CURL enroll with certificate authentication:

curl --key client.key --cert client.crt --location -X POST -v 'https://clientauth.one.digicert.com/.well-known/est/cps/IOT_33fd0b45-3188-45ed-9458-6cedc8ccf509/simpleenroll ' \ --header 'Content-Type: text/plain' \ --data '-----BEGIN CERTIFICATE REQUEST----- MIICfjCCAWYCAQAwOTELMAkGA1UEBhMCVVMxCzAJBgNVBAoMAkRDMQwwCgYDVQQL DANJb1QxDzANBgNVBAMMBkNOLTAwMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAO3lmplQ9Q6PmYw1JMsr9NS5KKnqZAWuz7/En+R0J+b2hUXfuUUz4D2x CYqvNY6M4YSybi+khjZ2ON2ImFd61VvYMZ/46PENqNQ7o5taj9oJ8KiNrWtDIMt/ e0KNFly5HP8YYFJ2LOwj6ppS8xA+YFmYN0g6KU9UXOD0zpC2OAriVg8mSC2duUPl 4ZGl2MXkvYK46zTWGGuh/BMNWqPvUpOvB92xytPetEwUNoaFap2F7wf52ZR3g3I7 SuReBSSCH89h8ScKffQhYma7uksnQ4pxOfzKGyEexW7vpTX8lPNUzhlHsIlt7Cd1 mvutKahgBQSdP76okYbki1WZIWb4nTcCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IB AQCaOk5EFYcnQOt+sKLTV+CK67lcffqEd3u11pLgrikAOjKEQ/KijYUNrtCbrn+V qx+EHhQTQJ/H5QCk7D9WOv8sBHV/JBtCGVxM8pxJ7t/6dRVrTpz22hcYRRjULhzx YQj95fncYJ4Kjcd9vwWIdIUSBpdLk7L4nQqMUCuEhUGOzCSURZcprzqb2i2lLer6 en6JVE9BPKmWuCajl+VbrmVjsgGkcF7oTjFLbkBNP5vKYrpVWxZXa0gQ599FpvfF re5/4ILr49X6MJIDz/XX3zdaoVyXonQ+MtcjYHHmtdodu7tD5TVS7PuR7l2fjtT5 +r7JGNl/6kGJMj4c9Zx6Mjy2 -----END CERTIFICATE REQUEST-----'

Certificate Issuance

  • Upon verifying the client’s identity and the integrity of the CSR, Device Trust Manager processes the certificate request.

  • If the request is valid, the Device Trust Manager issues a certificate for the client.

  • If the client had requested server-side generated keys, the response would include the private key along with the issued certificate, securely transmitted back to the client over the encrypted session.

Device Trust Manager Response

  • Device Trust Manager responds with a signed X.509 certificate, which is delivered to the client via the EST protocol. If the client had requested server-side generated keys, the response would also include the private key.

  • The client can then store the certificate and use it for secure communications.

Re-enrollment endpoint

The re-enrollment process is a specialized endpoint within the EST protocol used specifically for renewing existing certificates.

EST re-enroll endpoint URL

  1. Navigate to Certificate Management > Certificate Management Policies.

  2. Click the name of the Certificate Management Policy you configured for EST.

  3. Navigate to the EST section of the Certificate Management Policy details page.

  4. Search for “Re-enroll” endpoint.

    Opmerking

    If you are using a Device Group with the Certificate Management Policy, then the Device Group ID is added to the end of the URL.

Authentication

For re-enrollment, the client must present the certificate that is due for renewal as an authentication certificate in the request.

CSR submission

The client still submits a CSR during the re-enrollment process. However, all identity fields within the CSR (such as the Distinguished Name and Subject Alternative Names) are ignored. This is because the renewed certificate must maintain the same identity as the original certificate being renewed.

Certificate updates

The primary changes that occur during re-enrollment include the assignment of a new certificate serial number and the establishment of new validity dates (start and end) for the renewed certificate.

The following is a sample CURL re-enroll using certificate authentication. The certificate used for authentication must be the certificate you are renewing:

curl --key client.key --cert client.crt --location -X POST -v 'https://clientauth.one.digicert.com/.well-known/est/cps/IOT_33fd0b45-3188-45ed-9458-6cedc8ccf509/simplereenroll' \ --header 'Content-Type: text/plain' \ --data '-----BEGIN CERTIFICATE REQUEST----- MIICfjCCAWYCAQAwOTELMAkGA1UEBhMCVVMxCzAJBgNVBAoMAkRDMQwwCgYDVQQL DANJb1QxDzANBgNVBAMMBkNOLTAwMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAO3lmplQ9Q6PmYw1JMsr9NS5KKnqZAWuz7/En+R0J+b2hUXfuUUz4D2x CYqvNY6M4YSybi+khjZ2ON2ImFd61VvYMZ/46PENqNQ7o5taj9oJ8KiNrWtDIMt/ e0KNFly5HP8YYFJ2LOwj6ppS8xA+YFmYN0g6KU9UXOD0zpC2OAriVg8mSC2duUPl 4ZGl2MXkvYK46zTWGGuh/BMNWqPvUpOvB92xytPetEwUNoaFap2F7wf52ZR3g3I7 SuReBSSCH89h8ScKffQhYma7uksnQ4pxOfzKGyEexW7vpTX8lPNUzhlHsIlt7Cd1 mvutKahgBQSdP76okYbki1WZIWb4nTcCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IB AQCaOk5EFYcnQOt+sKLTV+CK67lcffqEd3u11pLgrikAOjKEQ/KijYUNrtCbrn+V qx+EHhQTQJ/H5QCk7D9WOv8sBHV/JBtCGVxM8pxJ7t/6dRVrTpz22hcYRRjULhzx YQj95fncYJ4Kjcd9vwWIdIUSBpdLk7L4nQqMUCuEhUGOzCSURZcprzqb2i2lLer6 en6JVE9BPKmWuCajl+VbrmVjsgGkcF7oTjFLbkBNP5vKYrpVWxZXa0gQ599FpvfF re5/4ILr49X6MJIDz/XX3zdaoVyXonQ+MtcjYHHmtdodu7tD5TVS7PuR7l2fjtT5 +r7JGNl/6kGJMj4c9Zx6Mjy2 -----END CERTIFICATE REQUEST-----'

 

publicatie datum: