1

I'm reading about Enrollment over Secure Transport (EST) protocol and in the protocol, it says that the EST server could authenticate a client using a client certificate or HTTP Basic Auth or OAuth-2.0. But where does the client gets this client certificate? Is it given to the client by an administrator by an external means (like an Email)?

Patrick Mevzek
  • 10,995
  • 16
  • 38
  • 54
Saravana Kumar
  • 140
  • 2
  • 16

2 Answers2

1

There is a good explanation on Wikipedia: https://en.wikipedia.org/wiki/Enrollment_over_Secure_Transport

The basic functions of EST were designed to be easy to use and although not a REST API, it can be used in a REST-like manner using simple tools such as OpenSSL and cURL. A simple command to make initial enrollment with a pre-generated PKCS#10 Certificate Signing Request (stored as device.b64), using one of the authentication mechanisms (username:password) specified in EST is:

curl -v --cacert ManagementCA.cacert.pem --user username:password --data @device.b64 -o device-p7.b64 -H "Content-Type: application/pkcs10" -H "Content-Transfer-Encoding: base64" https://hostname.tld/.well-known/est/simpleenroll

The issued certificate, returned as a Base64 encoded PKCS#7 message, is stored as device-p7.b64

Gabor Szelei
  • 306
  • 2
  • 7
0

But where does the client gets this client certificate?

RFC 7030 section 2.2 "Initial Enrollment" says about this:

The EST server authenticates and authorizes the EST client as specified in Sections 3.3.2, 3.3.3, and 3.7. The methods described in the normative text that are discussed in this overview include:

  • TLS with a previously issued client certificate (e.g., an existing certificate issued by the EST CA);
  • TLS with a previously installed certificate (e.g., manufacturer- installed certificate or a certificate issued by some other party);

So, it assumes that the client certificate is installed already in some secure way. It does not discuss the distribution of the client certificate used for initial authentication, but instead gives some examples who could have installed it. Since there are usually established processes when enrolling clients (like software installation, issuing of credentials, ...) you might consider this part of this enrollment process.

Note that you have similar security requirements for other forms of authentication, i.e. also username and password have to be known to the client up-front and thus have to be somehow securely distributed or installed before use.

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172