EST

1. Introduction

MTG Certificate Lifecycle Manager Server includes an implementation of the EST protocol according to RFC 7030 [RFC7030].

2. MTG-CLM integration

To enable integration with MTG-CLM, EST uses the credentials of an API client as described in EST Administration Manual. Additionally, EST server uses a policy to handle certificate management. Policies in MTG-CLM are recipes for how certificates are created. It identifies the CA that will issue the certificate, the template that will be used and also can contain additional restrictions and configurations for the certificate lifecycle.

2.1. Defining default policy

API clients are optionally associated with a default policy. MTG Certificate Lifecycle Manager Server by default, uses the default policy of the associated API client to handle certificate management. In case the API client is not associated with a default policy and the client does not specify a different policy in the request (see Section 3.1), EST server will respond with an invalid identifier error.

2.2. Defining different policy

EST server supports specifying a different policy as the policy to be used instead of the API client’s default policy. The new policy’s ID has to be used in the requests towards EST server as described in Section 3.1.

2.3. Set up password login

EST server supports basic authentication (see [RFC7617]). The credentials for this type of authentication can be obtained by creating an end entity and an associated end entity password. More details can be found in End Entities Password. Configure the end entity ID of the end entity in username and the end entity password in password to execute basic authentication requests.

3. Custom features

3.1. Different policies endpoints

Per default the EST server offers the following endpoints:

  • EST_SERVER_BASE_URL/.well-known/est/cacerts

  • EST_SERVER_BASE_URL/.well-known/est/simpleenroll

  • EST_SERVER_BASE_URL/.well-known/est/simplereenroll

Client requests to these endpoints use the default policy.

EST server provides supplementary endpoints to support requests that require a different policy. Requests towards these endpoints specify a different policy to use, rather than the default policy of the associated API client. These are the endpoints for the different policy endpoints:

  • EST_SERVER_BASE_URL/.well-known/est/<identifier>/cacerts

  • EST_SERVER_BASE_URL/.well-known/est/<identifier>/simpleenroll

  • EST_SERVER_BASE_URL/.well-known/est/<identifier>/simplereenroll

The <identifier> needs to be replaced with a valid policy ID. For example to request a certificate that is issued under the policy ffc0d281-f9df-45cd-a30d-1881cd67012a use the URL: EST_SERVER_BASE_URL/.well-known/est/ffc0d281-f9df-45cd-a30d-1881cd67012a/simplereenroll.

References