LogoLogo
  • emCA Certificate Manager
  • Introduction
    • Summary
    • Key Features
    • Key Components
    • Architecture
    • Use Cases
    • Security
    • Role based Access
    • Licensing
    • How emCA Works ?
  • Release Versions
    • V4.2.6
    • V4.2.5
    • V4.2.4
      • User Manual
        • CA Administrator
          • CA Admin Login
          • Dashboard Page
          • View CA Hierachy
          • Manage User Certificates
            • Search
          • Manage CA Certiifcates
            • Search
          • Manage User & Roles
            • Manage User
            • Create New User
            • View Groups
          • Reports
            • Application Logs
            • CRL Report
            • Certificate Statistics
            • All Certificates
            • Active / Revoked / Suspended / Expired Certificates
          • Application Settings
            • Manage License
            • Manage Authentication Matrix
            • Certificate Features
        • Administrator
          • View Hierachy
          • Manage Profiles
            • Manage Certificate Profiles
              • X509 certificate profile
              • Create CVC CA certificate profile
              • Create EMV Certificate Profile
            • Manage Key Profiles
            • Manage CRL Profiles
          • Manage User Certificates
          • Manage CA Certificates
          • Manage Keystores
          • Manage Users & Roles
          • Reports
          • Application Settings
          • Setup & Registeration
          • External Applications
          • Mail Settings
          • Manage Certificate Features
        • Officer
          • CA Hierarchy
          • Manage User Certificates
          • Manage CA Certificates
          • Manage CRLs
          • Manage EMV Certificate
          • Manage EMV CRLs
          • Manage Keystores
          • Manage OCSP Certificates
          • Recover User keypair
          • Reports
        • Auditor
          • CA Hierarchy
          • Reports
      • emCA_Deployment_Document
    • V4.2.3
      • User Manual
        • CA Administrator
          • CA Admin Login
          • Dashboard Page
          • View CA Hierachy
          • Manage User Certificates
            • Search
          • Manage CA Certiifcates
            • Search
          • Manage User & Roles
            • Manage User
            • Create New User
            • View Groups
          • Reports
            • Application Logs
            • CRL Report
            • Certificate Statistics
            • All Certificates
            • Active / Revoked / Suspended / Expired Certificates
          • Application Settings
            • Manage License
            • Manage Authentication Matrix
            • Certificate Features
        • Administrator
          • View Hierachy
          • Manage Profiles
            • Manage Certificate Profiles
              • X509 certificate profile
              • Create CVC CA certificate profile
              • Create EMV Certificate Profile
            • Manage Key Profiles
            • Manage CRL Profiles
          • Manage User Certificates
          • Manage CA Certificates
          • Manage Keystores
          • Manage Users & Roles
          • Reports
        • Officer
          • CA Hierarchy
          • Manage User Certificates
          • Manage CA Certificates
          • Manage CRLs
          • Manage EMV Certificate
          • Manage EMV CRLs
          • Manage Keystores
          • Manage OCSP Certificates
          • Recover User keypair
          • Reports
        • Auditor
          • CA Hierarchy
          • Reports
        • Operator
          • CA Hierarchy
          • Backup
    • V4.2.2
      • User Manual
        • CA Administrator
          • CA Admin Login
          • Dashboard Page
          • View CA Hierachy
          • Manage User Certificates
            • Search
          • Manage CA Certiifcates
            • Search
          • Manage User & Roles
            • Manage User
            • Create New User
            • View Groups
          • Reports
            • Application Logs
            • CRL Report
            • Certificate Statistics
            • All Certificates
            • Active / Revoked / Suspended / Expired Certificates
          • Application Settings
            • Manage License
            • Manage Authentication Matrix
            • Certificate Features
        • Administrator
          • View Hierachy
          • Manage Profiles
            • Manage Certificate Profiles
              • X509 certificate profile
              • Create CVC CA certificate profile
              • Create EMV Certificate Profile
            • Manage Key Profiles
            • Manage CRL Profiles
          • Manage User Certificates
          • Manage CA Certificates
          • Manage Keystores
          • Manage Users & Roles
          • Reports
        • Officer
          • CA Hierarchy
          • Manage User Certificates
          • Manage CA Certificates
          • Manage CRLs
          • Manage EMV Certificate
          • Manage EMV CRLs
          • Manage Keystores
          • Manage OCSP Certificates
          • Recover User keypair
          • Reports
        • Auditor
          • CA Hierarchy
          • Reports
        • Operator
          • CA Hierarchy
          • Backup
    • V4.2.1
    • V4 .0.17
      • Open API Specifications
        • Prerequisites
        • Process for calling emCA API
        • How to Generate an Authentication Key
        • How to Generate Signed Data (PKCS#7)
        • How to create JSON Object before Encryption
        • How to encrypt JSON object
        • How to generate a request JSON Object
        • API Methods
          • API Method -createCertificate and createCertificateP7B
          • API Method -createPKCS12
          • API Method -getCertificate
          • API Method - revoke
          • API Method - verifySignature
          • API Method - createCertificateById and createcertificateP7BById
          • API Method - createPKCS12ById
          • API Method - reinstate
          • API Method - suspend
          • API Method -rekey
          • API Method-getCertificateByRequestID
          • API Method - createCustomCertificateById
          • API Method - getExpirySoonCertificate
          • API Method - getProfileinfoByProfilename
          • API Method -getCertificateProfileList
          • API Method- createCertificatesByIdWithMultipleCsrData
          • API Method - getPKCS12
          • API Method - createeSignCustomCertificateById
        • ePassport Certificate API Methods
        • emClient.jar
        • SOAP Information
        • ACME Protocol
        • CMP Protocol
        • EST Protocol
        • SCEP Protocal
      • User Manual
        • View CA Hierarchy
          • Delete Certificate and Keypair
          • Search Certificate
          • View Certificate
          • Export Certificate
        • Manage Profiles
          • Key Profiles
            • Edit
            • Key Profile Creation
              • Create HSM Key Profile
              • Create PKCS12 Key Profile
          • Certificate Profiles
            • Certificate Profile Creation
              • Create CA Self Signed Certificate
              • Create User Certificate Profile
              • Create OSCP Certificate Profile
          • CRL Profiles
            • New CRL Profile
        • Manage User Certificate
          • Enroll
            • Generation of Soft Token Certificate
            • Generation of Hard Token Certificate
          • Revoke/Suspend
          • Reinstate
          • Search
          • Sign CSR
          • Manual Authorize Certificates
          • SCT Request
        • Manage CA Certificate
          • Enroll
            • Create Self-Signed CA Certificate
            • Create Sub CA Certificate
            • Create OSCP Certificate
            • Generate Signing CSR
          • Manage CA Certificates
            • Search Certificate
            • Import Certificate
          • Revoke CA Certificate
          • Search
          • Sign CSR
          • Import PKCS12
        • Manage CRLS
          • Create CRL
          • Update CRL
          • Download CRL
          • Scheduler Configuration
        • Manage OSCP Certificates
          • Configure OSCP Certificate
          • OSCP Configuration
        • Recover User Keypair
          • Recover
            • Key Recovery with new Password
            • Key Recovery with old Password
        • Manage Users and Roles
          • Manage User
            • Create New User
            • View all users created
            • View individual user
            • Deactivate user
            • Activate user
            • Renew
            • Delete User
          • View Groups
        • Reports
          • Types of Reports
          • CRL Reports
          • Certificate Stastics
          • All Certificates Reports
          • Active Certificates Report
          • Revoked Certificates Report
          • Suspended Certificates Report
          • Expired Certificates Report
        • Application Logs
        • Backup
          • Manual Backup on Local Server
          • Manual Backup on Remote Server
          • Automatic Backup on Local Server
          • Automatic Backup on Remote Server
        • Backup Restoration
        • Dashboard Features
          • View all Active CA and User Certificates
          • View Revoked CA and User Certificates
          • View all expiring soon CA and User Certificates
          • View all CRL-based Certificates
        • Application Settings
          • Manage License
          • Setup and Registration
          • External Applications Onboarding
        • Manage Key stores
    • V4.0.13
      • User Manual
        • View CA Hierarchy
          • Delete Certificates & Key Pair
          • Search Certificate
          • View Certificate
          • Export Certificate
        • Manage Profiles
          • Key Profile
            • Edit
            • Key Profile Creation
              • Create HSM Key Profile
              • Create PKCS 12 Keyprofile
        • Certificate Profiles
          • Certificate Profile Creation
            • Create CA Self Signed Certificate Profile
            • Create SubCA Certificate Profile
            • Create User CA Certificate
            • Create OCSP Certificate
        • Manage User Certificate
          • Enroll
            • Generation Of Softtoken Certificate
            • Generation Of Hardtoken Certificate
          • Revoke/Suspend
          • Reinstate
          • Search
          • Sign CSR
          • Manual Authorize Certificates
          • SCT Request
        • Manage CA Certificate
          • Enroll
            • Create Selfsigned CA Certificate
            • Create Sub CA Certificate
            • Create OCSP Certificate
            • Generate Signing CSR
          • Manage CA Certificates
            • Search
            • Import Certificate
        • Revoke CA Certificate
        • Search
        • Sign CSR
        • Import PKCS 12
        • Manage CRLs
          • Create CRL
          • Update CRL
          • Download CRL
          • Scheduler Configuration
        • Manage OCSP Certificate
          • Configure OCSP Certificates
          • OCSP Configuration
        • Key Recovery
          • Recover
            • Key Recovery With New Password
            • Key Recovery With Old Password
        • Manage Users & Roles
          • Manage Users
            • Create New User
            • View All Users Created
            • View Individual Users
            • Deactive Users
            • Activate Users
            • Renew
            • Delete
            • Export All users
          • View Groups
        • Reports
          • Features
          • Types Of Reports
            • CRL Reports
            • Certificate Statistics
            • All Certificate Reports
            • Active Certificate Reports
            • Revoked Certificate Reports
            • Suspended Certificate Reports
            • Expired Certificates Reports
        • Application Logs
        • Backup & Restore
          • Backup
            • Manual Backup on Local Server
            • Manual Backup On Remote Server
            • Automatic Backup on Local Server
            • Automatic Backup On Remote Server
          • Backup Restoration
        • Dashboard Features
          • View All Active CA and User Certificates
          • View Revoked CA & User Certificates
          • View All Expiring Soon & User Certificates
          • View All CRL Based Certificates
        • Application Settings
          • Manage emCA Authentication Matrix
          • External Application On-Boarding
        • Manage Keystore
  • Deployment Models
    • Single Instance
    • High Availability Deployment
    • Hybrid Deployment
    • Cloud Deployment
    • List of Prerequisites
      • Installations
        • Token Drivers
        • emCA Websocket
    • emCA Deployment Guide
      • Prerequisites
        • Other Prerequisites
      • emCA
      • emCA API
      • OCSP Core
      • OCSP Responder Web
      • TSA Core
      • TSA Web
      • Scheduler
      • DB Password Encryptor
      • emCA Initial Setup
      • Protocols Configuration Overview
        • ACME Protocol
        • EST Protocol
Powered by GitBook
On this page
  • Prerequisites
  • EST Endpoint
  • Supported Endpoints
  • API Specifications
  • Get/est/cacerts
  • POST/est/simpleenroll
  1. Deployment Models
  2. emCA Deployment Guide
  3. Protocols Configuration Overview

EST Protocol

PreviousACME Protocol

Last updated 22 days ago

Enrollment over Secure Transport (EST) is a certificate enrollment protocol that operates over HTTPS, offering strong client authentication and enhanced security features. This implementation of EST (Enrollment over Secure Transport), as defined in RFC 7030 (), supports basic certificate enrollment and retrieval of CA certificates. Communication is secured using HTTPS (HTTP over TLS) over TCP, and client authentication is performed using HTTP Basic Authentication.

Prerequisites

Registration

In emCA, EST (Enrollment over Secure Transport) requests are authenticated using Basic Authentication. Therefore, before utilizing the EST protocol, the client must first register through the emCA Portal.

Steps to be followed by the emCA Team:

  1. Once the emCA team receives the client's username, password, and IP address,

  2. The emCA Administrator should log in to the emCA portal using an Admin account,

  3. And proceed to register the client details to authorize EST access.

emCA Administrator should login to the emCA portal as Admin/CA Admin and navigate to “Application Settings‟ -> “External Applications‟ as shown in the figure.

Click on “New‟ The following screen will be displayed.

Once the details are entered, click on “Proceed‟.

The “Verify and Confirm‟ page will be displayed where the Admin/CA Admin should verify and entered details and authenticate by entering the Username and Password

Click on “Sign and Save‟.

Create Certificate Template

Create the appropriate certificate template in emCA by following the steps outlined in Section – Manage Profiles of the emCA User Manual. Be sure to record important details such as the Profile Name or Certificate Profile ID, as these will be required during the certificate enrollment process.

Configure Properties

EST configuration must be defined in the database. The required values must be updated in the `api_properties` table to enable EST CA server functionality.

est.ca.server.user.profile

EST Cert Profile name/ID

Active

est.ca.server.group.id

Group Id

Active

Please find the following script to update the necessary values in the database:

-- Certificate template profile ID
UPDATE api_properties
SET prop_value = 'xxxx', prop_status = 1
WHERE prop_key = 'est.ca.server.user.profile';
-- EST CA server group information
UPDATE api_properties
SET prop_value = '1', prop_status = 1
WHERE prop_key = ‘est.ca.server.group.id';

Note: To apply the configuration changes, it is necessary to restart the Tomcat services. Please follow the steps below to restart Tomcat:

EST Endpoint

Supported Endpoints

Endpoint

Type of Method

Description

/cacerts

GET

Retrieves the CA certificates (trust anchors).

/simpleenroll

POST

Accepts CSR and returns a signed certificate (enrollment).

API Specifications

Get/est/cacerts

Purpose: Returns a response with the CA certificates (trust anchors)

Sample Request

GET /est/cacerts HTTP/1.1 Host: emca.example.com Authorization: Basic <Base64(username:password)> Accept: application/pkcs7-mime

Sample Response

Status: 200 OK Content-Type: application/pkcs7-mime Body: PKCS#7 SignedData containing the CA certificate chain.

POST/est/simpleenroll

Purpose: Submits a certificate signing request (CSR) and returns a signed certificate.

Sample Request

POST /emCAServices/est/simpleenroll HTTP/1.1

Host: emca.example.com

Authorization: Basic <Base64(username:password)>

Content-Type: application/pkcs10

Content-Transfer-Encoding: <Base64-encoded PKCS#10 CSR>

Sample Response

Status: 200 OK if successful,

Content-Type: application/pkcs7-mime

Body: PKCS#7 SignedData with the signed certificate

Authentication

  • EST (Enrollment over Secure Transport) uses HTTP Basic Authentication to verify client identity before processing requests.

  • Clients must provide valid username and password credentials in the Authorization header of each request.

  • Only authenticated clients are permitted to access endpoints.

HTTP Response Status Codes

200

OK

Returned when a request (e.g., CSR Attributes, CA Certs, and enrollment) completes successfully.

400

Bad Request

Returned when a CSR is malformed, missing required fields, or improperly encoded.

401

Unauthorized

Returned when the client fails to provide correct authentication (HTTP auth, TLS cert).

500

Internal Server Error

Unexpected error on the EST server

Base URL: /est

https://www.example.com/emCAServices
https://www.rfc-editor.org/rfc/rfc7030.html
Figure 1
Figure 2
Figure 3
Figure 4
Figure 5