The Enrolment over Secure Transport (EST) is a protocol for automating x.509 certificate issuance for public key infrastructure (PKI) clients. These include web servers, endpoint devices and user identities, and anywhere PKI certificates are used, as well as the associated certificates from a trusted Certificate Authority (CA).


The EST protocol standardizes an authenticated request and response exchange process with the CA. IT teams can now deploy certificates on systems and devices in a more secure, faster and easier way than manually communicating the required information. 


EST is inherently secure and defines a secure transport mechanism that does not leave it open to interpretation or other standards. Since all client and server requests are communicated over TLS  without requiring authentication of messages by encoding them.


The EST enrolment service standardizes the interoperability and secure information exchange between a client and a CA for issuance of a certificate. 


In a PKI architecture, the EST service is located between a client and CA and performs several functions assigned to the Registration Authority (RA) role. So the RA provides validation whether EST clients should receive the certificate they have requested or not. RA passes the request to the CA and in return sends the certificate to the client. The client communicates with an EST server, which listens for requests on a standard URL path. 


The EST enrolment process eases the establishment of automatic certificate issuance from a trusted CA. The general client/server process flow includes:


  1. The client initiates a TLS-secured HTTP session with an EST served and validates the certificate provided by the server. 
  2. The client requests and verifies the chain of trust from the server, including any intermediate certificates that exist between the root and the EST CA, and stores the root certificate. 
  3. The client generates a key and a CSR and then PKCS#10 certificate request and sends it to the server. 
  4. The EST server requests and receives the certificate issued from the CA and then returns the signed certificate to the client. 


Authentication Types 


  • A certification profile that is used to create a certificate of EST contains an ADSS connector. Web RA will communicate to the ADSS server using EST APIs created by the ADSS Server. 
  • EST protocol provides information regarding three types of authentications to process EST Request:


  1. HTTP Basic Authentication - User name and password (Client will pass user name and password of ADSS Web RA user for authentication). 
  2. TLS Client Authentication - In TLS client authentication, a certificate will be used to authenticate the client. For TLS certificate identification, certificate in the request will be validated with the certificate present in Enterprise Device CA. 
  3. HTTP Basic Authentication and TLS Client Authentication - In client authentication, during the first step, the client will be identified on the basis of the client certificate and after client authentication, the basic authentication mechanism will be used to authenticate the request. 



Field

Description

Enable Enrolment over Secure Transport Protocol (EST) 

Tick this checkbox to enable the EST protocol 

ADSS CA Server

It is an ADSS Connector to get CA Certs 

EST Authentication Mechanism 
  • HTTP Basic Authentication - This mechanism requires a client to send its registered Web RA account details using email address and password in request via HTTP authorization header.
  • TLS Client Authentication - This mechanism requires a client to be authenticated by using its TLS Client Certificate.
  • HTTP Basic & TLS Client Authentication - HTTP Basic and TLS Client Authentication mechanisms require a client to send its registered Web RA account detail using email address and password along with the TLS Client Certificate.

EST SSL URL 


EST Server URL that a client will use while sending a request


HTTP Basic Authentication


TLS Client Authentication