EST

ENTERPRISE EDITION This is an EJBCA Enterprise Edition (EE) feature.

The Enrollment over Secure Transport (EST) is a cryptographic protocol that describes an X.509 certificate management protocol targeting public key infrastructure (PKI) clients that need to acquire client certificates and associated certificate authority (CA) certificates.

This section covers the following:

    Introduction

    EJBCA supports the EST protocol as defined in RFC7030 as of EJBCA version 6.11.

    EST provides a basic protocol for certificate enrollment and management similar to SCEP, with the following distinct advantages:

    • While SCEP communicates over HTTP and ensures integrity by wrapping the payload in a cryptographic envelope, EST requests are always over TLS and thus inherently secure.

    • EST supports ECC, while SCEP does not.

    • While SCEP requires a shared secret to authenticate CSRs, in EST authentication is implicit when negotiating the TLS connection.

    • Certificate renewal is an integral part of EST, while in SCEP it is rather an afterthought.

    • EST supports server-side key generation, which SCEP does not (currently not supported in EJBCA).

    Supported Operations

    As of EJBCA 6.11, the following operations in EST are supported:

    Name

    Description

    cacerts

    A GET request that returns a cert-only pkcs#7 blob containing the CA certificate (and possible chain) for the given alias that is used to issuing certificates via enrollment operation. This operation requires no authentication.

    simpleenroll

    A POST request with a CSR in PKCS#10 format and Base64 encoded to be signed by the specified CA for the given alias. May require an existing client certificate for authentication and/or HTTP Basic authentication via username and password.

    simplereenroll

    A POST request with a CSR in PKCS#10 format and Base64 encoded to be signed by the specified CA for the given alias. Requires authenticating with the original certificate, which has to be valid (to establish a TLS connection) and not revoked.

    Configuration

    Access

    The EJBCA EST implementation uses the Well-Known Uniform Resource Identifiers (URIs) definition codified in RFC 5785.

    Like SCEP and CMP, EJBCA supports using EST for multiple CAs by the use of aliases. Each alias is then accessible using:

    $ /.well-known/est/<alias>/<operation>

    When an alias with the name est is configured, this alias is available over the default EST URL, which is the URL used by the estclient, see Testing.

    /.well-known/est/<operation>

    Configuring Aliases

    The following displays the EST alias configuration screen:

    images/download/attachments/16231138/image2018-2-27_18-15-6.png

    The following EST alias configuration options are available:

    Value

    Description

    Default CA

    The CA that this alias will issue certificate from.

    End Entity Profile

    The End Entity Profile that enrolling end entities will have applied to them. This defines required DN and altName naming fields.

    Certificate Profile

    The Certificate Profile that enrolling end entities will have applied to them. This controls the certificate type, that is, key usage and other extensions.

    Require Client Certificate

    Specifies if a client certificate is required to enroll. The client certificate does not need to be known by EJBCA (if the option web.reqcertindb in conf/web.properties is set to false), but the issuing CA is. The client certificate needs to belong to a Role with full RA rights.

    Client username/password

    Sets a username and password to enroll. The username will be given full RA rights. If a client certificate is required, both client certificate and username/password will be checked for initial enrollment. For Renewal (re-enroll) username and password is never required, but client certificate is always required.

    Certificate Renewal with Same Keys

    If Allow is selected, a re-enrollment request may be performed for the same public key as before. Note that client certificate is always required for renewal, while username/password is never required, regardless of the settings above.

    Testing

    Clone libest from Cisco and build according to instructions:

    $ cd examples/client
    $ # via environment specify the initial CA certificate to use for verifying TLS connection.
    $ cp <path to server cert> server.pem
    $ export EST_OPENSSL_CACERT=server.pem
    $ # Where to save certs
    $ mkdir certs
    $ # Optionally get new CA certificates
    $ ./estclient -g -s <ip or hostname to EJBCA> -p 8442 -o certs --pem-output
    $ # certs should now contain a cacert-0-0.pem file
    $ # enroll with CA. publicCert.pem and privetKey.pem are the TLS client cert I wish to use for auth. RequestDN will be 'CN=myclient'
    $ ./estclient -e -s <ip or hostname to EJBCA> -p 8442 -o certs -c publicCert.pem -k privateKey.pem --pem-output --common-name myclient
    $ # certs will now contain a cert-0-0.pem and key-x-x.pem
    $ # client cert is about to expire, reenroll
    $ ./estclient -r -s <ip or hostname to EJBCA> -p 8442 -o tmp -c tmp/cert-0-0.pem -k tmp/key-x-x.pem --pem-output
    $ # certs should now contain an updated cert-0-0.pem

    You can also test access to EST URLs with a curl command, using the cacerts method:

    curl https://<hostname>:8442/.well-known/est/cacerts -o cacerts.p7 --cacert ManagementCA.cacert.pem

    or with an apache proxy in front, if the /.well-known URL is proxied correctly:

    curl https://<hostname>/.well-known/est/cacerts -o cacerts.p7 --cacert ManagementCA.cacert.pem

    ManagementCA.cacert.pem is the Root CA certificate of the CA chain that issued the TLS server cert and need to be configured with curl in order for the TLS connection to be established. ManagementCA is the name in a default EJBCA installation and the cert can be downloaded from the Admin Web or RA Web.

    Workflow Example

    Example enrollment, where a RA gets CA certificate first and then gets a client certificate, using username/password authentication (the EST client acts as an RA). Next, the client performs a renewal, authenticating with the client certificate issued previously.

    EST configuration is an EST alias with the name est and the following settings:

    Setting

    Value

    Default CA

    EST CA

    End Entity Profile

    EST EE Profile (with only CN required DN attribute)

    Certificate Profile

    Profile Default

    Require Client Certificate

    false

    Client Username

    estadmin

    Client Password

    foo123

    Certificate Renewal with Same Keys

    false

    Download the CA certificate of the EJBCA TLS connection (usually the default is Management CA), and set the environment variable needed for estclient:

    export EST_OPENSSL_CACERT=/tmp/ManagementCA.cacert.pem

    Run the following estclient commands to generate a key and get a certificate from the CA:

    $ mkdir certs
     
    # Get CA certificate, by "RA:
    $ ./estclient -g -s 127.0.0.1 -p 8442 -o certs --pem-output
     
    # Inspect the fetched CA certificate
    $ openssl x509 -in certs/cacert-0-0.pem -text -noout
     
    # Get client certificate, by "RA", authenticated with username/password
    $ ./estclient -e -s 127.0.0.1 -p 8442 -o certs -u estadmin -h foo123 --pem-output --common-name myclient
     
    # Inspect the fetched client certificate
    $ openssl x509 -in certs/cert-0-0.pem -text -noout
     
    # Re-enroll, directly by the client when certificate is about to expire, using the old client cert to authenticate with:
    $ ./estclient -r -s 127.0.0.1 -p 8443 -o certs -c certs/cert-0-0.pem -k certs/key-x-x.pem --pem-output
     
    # Inspect the new, renewed, client certificate
    $ openssl x509 -in certs/cert-0-0.pem -text -noout
     
    # Revoke the clients certificates by going to Admin GUI and using Search End Entities to find the end entity and revoke certificates.
    # Try to re-enroll again, which will not work with a revoked client certificates.
    $ ./estclient -r -s 127.0.0.1 -p 8443 -o certs -c certs/cert-0-0.pem -k certs/key-x-x.pem --pem-output
     
    # Enroll with an EC key. First we have to generate the key, a Prime256v1 key on this case, and then use this key for enrollment.
    openssl ecparam -name prime256v1 -genkey -noout -out prime256v1-key.pem
    ./estclient -e -s 127.0.0.1 -p 8442 -o certs -u estadmin -h foo123 --pem-output --common-name myclient -x prime256v1-key.pem
    $ openssl x509 -in certs/cert-0-0.pem -text -noout
     
    # Re-enroll, also with EC, using the same key (using the same key can be dissalowed in the EST alias).
    ./estclient -r -s 127.0.0.1 -p 8443 -o certs -c certs/cert-0-0.pem -k prime256v1-key.pem --pem-output -x prime256v1-key.pem
    $ openssl x509 -in certs/cert-0-0.pem -text -noout