EST

EST stands for Enrollment over Secure Transport. It is a certificate management protocol targeting Public Key Infrastructure (PKI) clients which require digital certificates to prove their authenticity. EST also helps the clients in acquiring associated CA certificates. Some prerequisites and features are as follows:
  • There should be an agent (avx_vendor_cert_est_agent) up and running for EST in AppViewX.
  • This EST plugin can either be in HTTPS or HTTP, but it needs a gateway which supports client certificate authentication running to communicate with the client.
  • It is highly recommended to keep the 'Approval Required' flag OFF in the Menu > Inventory > Certificate > Policy page.
  • The valid agent setting should be available in Menu > Inventory > Certificate > Settings.

The Enrollment over Secure Transport protocol or EST is a certificate management protocol that automates the issuance and provisioning of X.509 certificates. The protocol has been defined in RFC 7030 (ratified in 2013) and developed for clients that use public key infrastructure (PKI), such as web servers, applications, and endpoint devices.

The protocol helps configure PKI clients to request for certificates from trusted certificate authorities (CAs) and receive them over secure HTTPS without any human intervention.

What is the Purpose of EST?

The main goal of EST is to simplify and secure certificate enrollment. EST helps ensure certificates are correctly configured and deployed at scale by automating the process. Removing human intervention naturally reduces the risk of misconfigurations, and, in turn, the reduces the possibility of outages and security compromises. Automating enrollment also helps free up time for PKI personnel who are otherwise caught up in the perpetuity of getting certificates issued and provisioning them.

How does EST work?

In an enterprise PKI setup, the EST server sits between a client and a certificate authority (CA) and plays the role of a traditional Registration Authority (RA) – receive a certificate signing request (CSR) from a client, validate the client, forward the request to the corresponding CA, get the certificate issued, and finally provision it to the client.
The EST communication between a client and a certificate authority happens as follows:
  1. The client hits the server with a request to communicate over TLS. The server responds to the request by presenting its TLS certificate.
  2. The client checks the certificate to verify the legitimacy of the server. Next, it requests the chain of trust from the server and verifies it, including any intermediate certificates that lie between the root and the EST CA, and stores the root certificate.
  3. The client generates a key and a CSR and sends the CSR to the server.
  4. The EST server forwards the CSR to the CA and receives a new certificate. It then sends the newly signed certificate back to the client.

Advantages of using EST

EST is an auto-enrollment protocol that offers various functionalities such as enrollment, re-enrollment, and server-side key generation. This protocol serves as the foundation for the client and ensures interoperability with other EST-compliant servers.

What's Next?