EST Protocol

Enrollment over Secure Transport (EST) Protocol

Enrollment over Secure Transport (EST) is a standardized protocol for automating the process of obtaining and managing digital certificates for Public Key Infrastructure (PKI) clients. It utilizes the HTTPS protocol and TLS ciphers to establish a secure TLS channel between the EST client and the EST server. Through this secure channel, EST operations, such as certificate enrollment, renewal, and revocation, can be exchanged securely.

Obtaining Certificates Using EST Protocol

The Enrollment over Secure Transport (EST) protocol provides a secure and automated method for obtaining certificates within a Public Key Infrastructure (PKI). This section provides instructions on how to retrieve an existing certificate and generate a new certificate using the EST protocol.

Retrieving an Existing Certificate

  1. Access the EST Server: Execute the following command to access the EST server using the curl command:

    curl -X GET -k https://167.235.151.28:9443/emCAServices/est/cacerts

    This command retrieves the issuer CA certificate from the EST server.

  2. Decode the Base64 Encoded Data: Save the output of the previous command to a text file named input.txt. The certificate data is encoded in Base64 format.

    certutil -decode input.txt decoded.txt

    This command decodes the Base64 encoded data from the input.txt file and saves the decoded data to a file named decoded.txt.

  3. Extract the Certificate:

    openssl pkcs7 -inform DER -in "decoded.txt" -print_certs -text -noout

    This command extracts the certificate from the decoded data and displays it in text format.

Generating a New Certificate

  1. Generate a Certificate Signing Request (CSR): Generate a CSR using the openssl command:

    openssl req -new -newkey rsa:2048 -keyout my_key.pem -out my_req.csr

    This command generates a key pair and creates a CSR file named my_req.csr. The rsa:2048 parameter specifies the key length.

  2. Submit the CSR to the EST Server: Execute the following command to submit the CSR to the EST server:

    curl -X POST -k https://167.235.151.28:9443/emCAServices/est/simpleenroll?

    This command sends the my_req.csr file to the EST server using the curl command. The -d "@my_req.csr" parameter indicates that the CSR data is being sent using a file named my_req.csr.

  3. Decode the Certificate Data:

    certutil -decode input.txt decoded.txt

    This command decodes the Base64 encoded data from the input.txt file and saves the decoded data to a file named decoded.txt.

  4. Extract the New Certificate:

    openssl pkcs7 -inform DER -in "decoded.txt" -print_certs -text -noout

    This command extracts the new certificate from the decoded data and displays it in text format.

These steps provide a comprehensive guide on how to retrieve an existing certificate and generate a new certificate using the EST protocol.

PreviousCMP ProtocolNextSCEP Protocal

Last updated