Configure and use EST
To perform this action, you must have a user role that contains the Solution administrator permission.
Enrollment over Secure Transport (EST) is a popular protocol for certificate issuance and renewal. EST (RFC 7030) is a certificate management protocol designed to securely issue and manage certificates for devices and applications over HTTPS. EST simplifies the process of enrolling devices for digital certificates, providing a robust mechanism for requesting, renewing, and retrieving certificates. This protocol ensures the confidentiality and integrity of the communication between the client and the certificate authority (CA) using TLS (Transport Layer Security).
DigiCert® Device Trust Manager supports the following EST endpoints:
/simpleenroll
/simplereenroll
/cacerts
/csrattrs
/serverkeygen
For more information on EST, see Enrollment over Secure Transport (EST).
Before you begin
Before configuring EST in Device Trust Manager, contact your DigiCert account representative to set up your account.
A DigiCert system administrator must configure a Root CA and IntermediateCA in the DigiCert® Private CA. You must also have a Certificate template configured. If you are missing these, contact your DigiCert account representative.
Ensure you've reviewed the following concepts:
Configure EST
Perform the following steps to configure EST:
Create a division. See Create a division.
Create an Authentication Policy. See Create an authentication policy.
Add one of the following to your authentication policy:
Create a certificate profile. See Create a certificate profile.
Create a certificate management policy:
注意
Follow this tutorial and the configuration steps below as they are tailored for setting up EST.
In the Device Trust Manager menu, go to Certificate management > Certificate management policies.
Select Create certificate management policy to open the General settings of the certificate management policy wizard.
Provide a Name for the certificate management policy.
Choose a Division to assign the policy to.
Under Select the certificate management model, select Policy will be used for certificate issuance only. Requires an Essentials license.
From the Certificate management methods, choose EST (Enrollment over Secure Transport).
Select the Authentication policy you have created.
Select Next to proceed to the Certificate settings page.
Select an End entity certificate profile.
End entity defines the certificate structure, including subject fields, extensions, and validity period.
Select an Issuing CA from the available options.
This is the Certificate Authority that will sign the certificates issued under this policy.
Under Keypair generation settings, select Local keypair generation.
You can set whether you want the private key to be generated on the device or on the server side and passed on to the device in the response to the EST certificate request. However, for this tutorial, we will choose Local keypair generation.
Select Finish to complete the certificate management policy.
Obtain the EST enroll endpoint
Perform the following steps to obtain the EST endpoint to use with an EST client.
In the Device Trust Manager menu, go to Certificate management > Certificate management policies.
Select the EST certificate management policy you have created.
On the Certificate management policy details page, navigate to the EST section.
Under the EST section, copy the Enroll endpoint URL.
The following examples use one.digicert.com. However your hostname may be different. See Platform IP addresses and URLs for a list of platform hostnames by region.
Passcode-based authentication:
If you are using a passcode-based authentication, the EST /enroll endpoint will resemble the example below:
https://one.digicert.com/.well-known/est/devicetrustmanager/IOT_b0c9be31-6160-4fc5-9041-84b71a4c02fe/simpleenroll
Certificate-based authentication:
If you are using a certificate-based authentication, the EST /enroll endpoint must have the
clientauthprefix and will resemble the example below:https://
clientauth.one.digicert.com/.well-known/est/devicetrustmanager/IOT_b0c9be31-6160-4fc5-9041-84b71a4c02fe/simpleenroll
Request EST
Before submitting an EST request, you must create a keypair and a CSR. For example, the following command creates an ECC P-256 keypair and a CSR.
openssl ecparam -name prime256v1 -genkey -noout -out private.pem openssl req -new -key private.pem -out csr.pem
Both TrustCore SDK and TrustEdge include an EST client that works with Device Trust Manager.
Alternatively, you can use curl and other third-party EST clients.
The following is a sample CURL enroll using passcode-based authentication:
curl --location https://one.digicert.com/.well-known/est/devicetrustmanager/IOT_b0c9be31-6160-4fc5-9041-84b71a4c02fe/simpleenroll \ --header 'Content-Type: application/octet-stream' \ --header 'Authorization: Basic dXNlcjpkeU1PNDdNYThDaWdwblNHR1N1Rg==' \ --data-binary @csr.pem
Where:
--header 'Authorization: Basic dXNlcjpkeU1PNDdNYThDaWdwblNHR1N1Rg==' is your Base64-encoded passcode. You can base64 encode your passcode using echo -n "passcode" | base64, replacing <passcode> with your passcode.
--data-binary is the CSR file.
The following is a sample CURL enroll for certificate-based authentication:
curl --location https://clientauth.one.digicert.com/.well-known/est/devicetrustmanager/IOT_b0c9be31-6160-4fc5-9041-84b71a4c02fe/simpleenroll \ --cert "authentication_certificate.pem" \ --key "authentication_key.pem" \ --header "Content-Type: application/pkcs10" \ --data-binary @csr.pem
Where:
--cert is the authentication certificate you have configured in the authentication policy.
--key is the private key of the authentication certificate.
Response
Upon verifying the client’s authentication credential and the integrity of the CSR, Device Trust Manager processes the certificate request.
If the request is valid, the Device Trust Manager issues a certificate for the client.
If the client requests server-side generated keys, the response includes the private key along with the issued certificate, which is securely transmitted back to the client over the encrypted session.
The client can then store the certificate and use it for secure communications.
注意
Certificate decoding guidance
Standard Linux environments and the curl command-line tools do not natively support EST (Enrollment over Secure Transport) clients. As a result, you may encounter difficulties when attempting to process certificates using these commands or tools.
To simplify certificate inspection and improve readability, we recommend using a PKCS7 certificate decoder (CSR and Certificate Decoder).
This tool allows you to upload certificates and view their contents in a structured, readable, PKCS7 format.
Obtain the EST reenroll endpoint
The reenrollment process is a specialized endpoint within the EST protocol, used specifically for renewing existing certificates.
In the Device Trust Manager menu, go to Certificate management > Certificate management policies.
Select the EST certificate management policy you have created.
On the Certificate management policy details page, navigate to the EST section.
Under the EST section, copy the Reenroll endpoint URL.
Your EST reenroll endpoint URL (simplereenroll) will resemble the example below:
https://clientauth.one.digicert.com/.well-known/est/devicetrustmanager/IOT_b0c9be31-6160-4fc5-9041-84b71a4c02fe/simplereenrollAuthentication
For reenrollment, the client must present the certificate that is due for renewal as an authentication certificate in the request.
CSR submission
The client submits a CSR during the reenrollment process. However, all identity fields within the CSR (such as Distinguished Name and Subject Alternative Names) are ignored. This is because the renewed certificate must maintain the same identity as the original certificate being renewed.
Certificate updates
The primary changes that occur during reenrollment include the assignment of a new certificate serial number and the establishment of new validity dates (start and end) for the renewed certificate.
The following is a sample CURL reenroll using certificate authentication. The certificate used for authentication must be the certificate you are renewing:
curl --location https://clientauth.one.digicert.com/.well-known/est/devicetrustmanager/IOT_b0c9be31-6160-4fc5-9041-84b71a4c02fe/simplereenroll \ --cert "certificate.pem" \ --key "private.pem" \ --header "Content-Type: application/pkcs10" \ --data-binary @csr.pem
Use EST with device management
You can use EST to register devices into a device group and issue bootstrap certificates to devices. Registered devices are listed under Device management > Devices, allowing centralized management and control. This feature is available with the Device Trust Manager Advanced plan.
If you are already on the Device Trust Manager Advanced plan, perform the following steps:
When creating a certificate management policy, under the General settings step, select Policy will be used for secure device lifecycle management. Requires an Advanced license.
Perform the following steps to link the certificate management policy to a device group and map one of the certificate fields to the device’s identity:
In the Device Trust Managermenu, go to Device management > Device groups.
Select a device group to view its details.
Go to the Policy assignments pane.
Select Assign policy.
Select a Policy usage:
Select Bootstrap under Policy usage.
Provide a name for the policy.
Assign the certificate management policy to a device group.
Once you have linked the EST certificate management policy to a device group, you can use EST to register devices in the device group and issue bootstrap certificates to devices. The EST URL must be modified to include device-group/{device-group-id}.
Example:
https://clientauth.one.digicert.com/.well-known/est/devicetrustmanager/IOT_b0c9be31-6160-4fc5-9041-84b71a4c02fe/device-group/{device-group-id}/simpleenroll