Enrollment over Secure Transport
The Enrollment over Secure Transport, or EST is a cryptographic protocol that describes an X.509 certificate management protocol targeting public key infrastructure clients that need to acquire client certificates and associated certificate authority certificates. EST is described in. EST has been put forward as a replacement for SCEP, being easier to implement on devices already having an HTTPS stack. EST uses HTTPS as transport and leverages TLS for many of its security attributes. EST has described standardized URLs and uses the well-known Uniform Resource Identifiers definition codified in.
Operations
EST has a following set of operations:| API Endpoint | Operation | Description |
| /.well-known/est/cacerts | Distribution of CA Certificates | The EST client can request a copy of the current CA certificates with HTTP GET operation. |
| /.well-known/est/simpleenroll | Enrollment of Clients | EST clients request a certificate from the EST server with an HTTPS POST operation. |
| /.well-known/est/simplereenroll | Re-enrollment of Clients | EST clients renew/rekey certificates with an HTTPS POST operation. |
| /.well-known/est/fullcmc | Full CMC | An EST client can request a certificate from an EST server with an HTTPS POST operation. |
| /.well-known/est/serverkeygen | Server-Side Key Generation | An EST client may request a private key and associated certificate from an EST server using an HTTPS POST operation |
| /.well-known/est/csrattrs | CSR Attributes | CA policy may allow inclusion of client-provided attributes in certificates that it issues, and some of these attributes may describe information that is not available to the CA. In addition, a CA may desire to certify a certain type of public key and a client may not have a priori knowledge of that fact. Therefore, clients SHOULD request a list of expected attributes that are required, or desired, by the CA in an enrollment request or if dictated by local policy. |
Usage example
The basic functions of EST were designed to be easy to use and although not a REST API, it can be used in a REST-like manner using simple tools such as OpenSSL and cURL. A simple command to make initial enrollment with a pre-generated PKCS#10 Certificate Signing Request, using one of the authentication mechanisms specified in EST is:The issued certificate, returned as a Base64-encoded PKCS#7 message, is stored as device-p7.b64.
Implementations
- The library is a client and server implementation of EST.
- offers EST API library for Java.
- is a server implementation of EST.
- EJBCA, a CA software, implements a subset of the EST functions.
- implements.
- Entrust CA PKIs support EST functions
- implements.
- The strongSwan tool is a client implementation of EST.
Category:Cryptographic protocols
Category:Computer security
Category:Internet Standards