EST

API clients are optionally associated with a default policy. MTG Certificate Lifecycle Manager Server by default, uses the default policy of the associated API client to handle certificate management. In case the API client is not associated with a default policy and the client does not specify a different policy in the request (see Section 3.1), EST server will respond with an invalid identifier error.

EST server supports specifying a different policy as the policy to be used instead of the API client’s default policy. The new policy’s ID has to be used in the requests towards EST server as described in Section 3.1.

EST server supports basic authentication (see [RFC7617]). The credentials for this type of authentication can be obtained by creating an end entity and an associated end entity password. More details can be found in End Entities Password. Configure the end entity ID of the end entity in username and the end entity password in password to execute basic authentication requests.

Per default the EST server offers the following endpoints:

Client requests to these endpoints use the default policy.

EST server provides supplementary endpoints to support requests that require a different policy. Requests towards these endpoints specify a different policy to use, rather than the default policy of the associated API client. These are the endpoints for the different policy endpoints:

The <identifier> needs to be replaced with a valid policy ID. For example to request a certificate that is issued under the policy ffc0d281-f9df-45cd-a30d-1881cd67012a use the URL: EST_SERVER_BASE_URL/.well-known/est/ffc0d281-f9df-45cd-a30d-1881cd67012a/simplereenroll.