Using EST for IOT Certificates
Andreas Schwier | 28 Sep 2022
Enrollment over Secure Transport (EST) is an automatic certificate enrollment protocol defined in RFC 7030. It allows both, the initial enrollment of a X.509 certificate and later certificate renewal. The beauty of EST is, that is uses simple PKCS#10 and PKCS#7 objects, transmitted using https with TLS client authentication.
The PKI-as-a-Service Portal supports the EST protocol, allowing your trust center setup to respond to EST certification requests from your IOT devices. Of course, EST is not limited to IOT, you can use the protocol to enroll certificates for any system or person.
If you already use certificate based authentication, then adding EST is very straightforward. You just need the EST URL, prepare a PKCS#10 certificate request and send it to the server. The server will respond with a PKCS#7 container that holds the certificate.
EST supports three main operations, the retrieval of CA certificates (cacerts), the initial enrollment (simpleenroll) and the certificate renewal (simplereenroll). While cacerts is a HTTP/GET operation, simpleenroll and simplereenroll are HTTP/POST operations. The later two pass the certification request in PKCS#10 to the CA.
The protocol allows delayed issuing of certificates, so that two interactions, submitting the request and obtaining the issued certificate, are possible. This is controlled by the EST-Server, that will respond with a HTTP Code 206 and a Retry-After header to specify the expected time required to issue the certificate. A client can automatically query the resulting certificate after the delay specified in Retry-After has expired.
While EST allows other means of authentication, the EST-Server in the PKI-as-a-Service Portal allows only certificate based TLS client authentication. This is true for getting CA certificates and initial enrollment. For reenrollment the existing certificate must be used anyway. In the EST configuration for your trust center you can define which CA you trust to issue the initial certificate. This could be a manufacturer CA that issues a device certificate, for example.
Of course this creates a hen-and-egg problem: You always need a bootstrap PKI, even for the first certificate. Typically you will use a fixed bootstrap key, for example in your firmware image, to perform authentication in the first enroll and then replace that key with a device specific key and certificate.
The sandbox at test.pki-as-a-service.net has an instance of the OpenSCDP Test PKI configured to provide an EST service. You can use that to test the EST protocol and get a feeling on how it works.
We’ve prepared a couple of scripts using libest and curl to interact with the EST server.