What is EST

Enrolment over Secure Transport (EST) is a standardised protocol (defined in RFC 7030) used to manage certificate enrolment and lifecycle processes securely over HTTPS. EST is designed for automated environments where devices, applications, or services need to obtain digital certificates without manual intervention.

Key Features of EST

Security:

  • Utilises HTTPS for transport security.
  • Supports client authentication using existing certificates or shared secrets.
  • Ensures confidentiality, integrity, and authentication of the communication.

Automation:

  • Facilitates automated certificate issuance and renewal for IoT devices, servers, or applications.
  • Compatible with headless environments requiring minimal manual configuration.

Support for Various Certificate Lifecycle Operations:

Initial certificate enrolment.

  • Certificate renewal.
  • Certificate revocation using Certificate Revocation Lists (CRLs).
  • Provisioning CA certificates to clients.

Advantages of EST

  • Secure: Relies on TLS and mutual authentication.
  • Lightweight: Uses well-established HTTP and TLS protocols.
  • Interoperable: Supported by many certificate authorities and devices.
  • Automated: Reduces the need for manual certificate management.

Limitations of EST

  • Bootstrapping: Requires a preloaded trust anchor for the initial setup.
  • Client Authentication: May require configuration for certificates or secrets.
  • Limited by HTTP: Depends on HTTPS infrastructure, which may not be optimal for all environments.

Endpoints in EST

EST defines several endpoints for different operations:

  • /cacerts: Retrieves CA certificates or chains.
  • /simpleenroll: Submits a CSR for certificate issuance.
  • /simplereenroll: Submits a CSR for certificate renewal.
  • /csrattrs: Retrieves attributes needed for CSR generation (optional).

Workflow of Certificate Enrolment over EST

The EST process involves the following steps:

  1. Bootstrap with Trust Anchor:
    1. The client must have a trusted CA certificate (trust anchor) preloaded to validate the EST server’s TLS certificate.
  2. HTTPS Connection Establishment:
    1. The client initiates a secure connection to the EST server using HTTPS (port 443 by default).
  3. Server Authentication:
    1. The EST server presents its TLS certificate, which the client verifies against its trust anchor.
  4. Client Authentication:
    1. Authentication can be done using:
      1. An existing client certificate (e.g., in case of renewal).
      2. A shared secret (for initial enrolment).
  5. Certificate Enrolment:
        1. The client sends a Certificate Signing Request (CSR) in PKCS#10 format to the EST server.
        2. The EST server validates the CSR and responds with the signed certificate in PKCS#7 format or as a raw certificate.
  6. CA Certificates Provisioning:
    1. The client can retrieve the CA certificate or certificate chain from the EST server using the /cacerts endpoint.
  7. Certificate Renewal:
    1. Clients use the /simpleenroll or /simplereenroll endpoints to renew their certificates.
  8. CRL Retrieval (Optional):
    1. Clients can fetch CRLs from the EST server to validate certificates.

Use Cases

  • IoT Devices:
    • Automates certificate enrolment and renewal in IoT ecosystems.
  • Servers and Services:
    • Simplifies certificate management for web servers or microservices.
  • Secure Network Infrastructure:
    • Automates certificate provisioning for VPN gateways, firewalls, or routers.

Tools and Software Supporting EST

  • Cogito Jellyfish: Supports EST for automated certificate lifecycle management
  • OpenSSL: Can be used to interact with EST servers for testing and operations.
  • EJBCA: Supports EST for automated certificate lifecycle management.
  • Cisco IOS: Implements EST for network device enrolment.
  • Microsoft CA: With third-party solutions or extensions.