Enrollment over Secure Transport

The Enrollment over Secure Transport, or EST is a cryptographic protocol that describes an X.509 certificate management protocol targeting public key infrastructure (PKI) clients that need to acquire client certificates and associated certificate authority (CA) certificates. EST is described in RFC 7030. EST has been put forward as a replacement for SCEP, being easier to implement and use as well as supporting more algorithms such as ECDSA. EST uses HTTPS as transport and leverages TLS for many of its security attributes. EST has described standardized URLs and uses the well-Known Uniform Resource Identifiers (URIs) definition codified in RFC 5785.

Internet protocol suite
Application layer
Transport layer
Internet layer
Link layer
  • more...

Operations

EST has a set of operations:

  • /cacerts
  • /simpleenroll
  • /simplereenroll
  • /fullcmc
  • /serverkeygen
  • /csrattrs

Usage example

The basic functions of EST were designed to be easy to use and although not a REST API, it can be used in a REST-like manner using simple tools such as OpenSSL and CURL. A simple command to make initial enrollment with a pre-generated PKCS#10 Certificate Signing Request (stored as device.b64), using one of the authentication mechanisms (username:password) specified in EST is:

curl -v --cacert ManagementCA.cacert.pem --user username:password --data @device.b64 -o device-p7.b64 -H "Content-Type: application/pkcs10" -H "Content-Transfer-Encoding: base64" https://hostname.tld/.well-known/est/simpleenroll

The issued certificate, returned as a Base64 encoded PKCS#7 message, is stored as device-p7.b64.

gollark: They made a law saying they would, then quietly dropped it after it was deemed impractical, and are now trying to reintroduce it in the ominously named Online Safety Bill.
gollark: Sort of?
gollark: Zimbardo actively intervened to try and worsen things.
gollark: It was an awful experiment.
gollark: They didn't implement it.

References

    Implementations
    • The library libest is a client and server implementation of EST.
    • Bouncy Castle API offers EST API library for Java and C#.
    • EJBCA, a CA software, implements a subset[1] of the EST functions.


    1. "EJBCA - The Java EE Certificate Authority". Archived from the original on 2019-06-07. Retrieved 2019-06-07.
    This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.