EST Micro CA (Standalone Server)

Overview

Micro CA is a standalone, lightweight Certificate Authority (CA) solution purpose-built for environments where traditional enterprise-grade CAs may be too heavy, complex, or resource-intensive. It is particularly suited for IoT devices, edge computing deployments, and distributed systems that require secure communication and identity verification but operate under resource or connectivity constraints.

Key Features

  • EST Protocol: Operates entirely on the Enrollment over Secure Transport (EST) protocol for seamless certificate issuance and renewal.
  • Intermediate CA: Functions as an intermediate CA, deriving its trust from a central Root CA via the AppViewX PKI-as-a-Service (PKIaaS) platform.
  • Offline Capability: Ability to issue certificates entirely offline.
  • Visibility & Traceability: Provides comprehensive visibility and traceability of all issued certificates, ensuring compliance and audit readiness.

Need for Micro CA

Micro CA is designed for optimal performance in environments with limited resources, offering robust and secure certificate management.

  • Optimized for Constrained Environments: Operates reliably on systems with 2GB RAM and 32GB storage, with a software footprint under 200MB.
  • Secure Key Management: Utilizes PKCS#11 for secure key generation and signing through TPM (Trusted Platform Module) or HSM.
  • Offline & Remote Ready: Supports manual intermediate CA and full certificate issuance, even in offline mode.
  • Azure IoT Integration: Automatically updates certificate thumbprints and metadata in Azure IoT Hub.
  • Lightweight EST Client: Features a custom Go-based client that provides full EST functionality with minimal resource consumption.

Micro CA Architecture

Table 1. Architecture key points explained
Key Points Description
1 The EST Standalone server generates a key pair using the TPM module and initiates a certificate enrollment request to the AppViewX EST Server via the EST protocol, utilizing mTLS authentication. The Certificate Signing Request (CSR) is generated based on configurable parameters from the configuration file.
2 AppViewX processes this request and issues an Intermediate CA certificate, leveraging a Sub-CA template configured in the PKIaaS Native CA. Upon reception, the EST Standalone server uses this Intermediate CA certificate to sign CSRs and locally issue certificates for devices or subordinate CAs.
3 Similarly, device certificate CSRs are generated and issued via AppViewX PKIaaS with a template for unlimited validity (31/12/9999) and stored on the device for various device-related use cases.
4 The EST Standalone Server supports three configurable endpoints, each of which can be exposed on a customizable port. Key certificate attributes such as Extended Key Usage, Key Usage, Path Length Constraint, isCA flag, and Azure IoT Hub settings are defined through two configuration files. When an IoT device initiates a certificate request to the EST Standalone Server (Micro CA), it is authenticated via mTLS. The EST Standalone Server then signs the CSR using its Intermediate CA and issues the device certificate.
5—8 After issuance, the certificate thumbprint and relevant metadata are calculated and forwarded to the Cloud Connector (CC). The CC, using Managed Identity authentication, updates the Azure IoT Hub. The Micro CA also offers the option to directly update Azure IoT without routing through AppViewX.