EST Protocol

EST Protocol (RFC 7030)

This page covers the Enrollment over Secure Transport (EST) implementation in the lab. EST provides a simple, standards-based method for certificate enrollment, re-enrollment, and CA certificate retrieval.

Overview

The lab implements EST as defined in RFC 7030. EST Registration Authorities (RAs) are deployed as lightweight standalone containers that proxy enrollment requests to the Intermediate CA. They have no local CA subsystem, no signing keys, and no LDAP backend.

Architecture

┌──────────────────┐         ┌─────────────────────────┐
│   EST Client     │  HTTPS  │   EST RA Container       │
│  (IoT Device /   │────────>│   pki-server create      │
│   lab est-enroll)│         │   DogtagRABackend         │
└──────────────────┘         └────────────┬──────────────┘
                                          │
                                          │ REST API (proxy)
                                          ▼
                             ┌─────────────────────────┐
                             │   Intermediate CA        │
                             │   (Full Dogtag CA with   │
                             │    389 DS + pkispawn)     │
                             └─────────────────────────┘

Key design points:

EST RAs use pki-server create (not pkispawn) -- no CA subsystem installed
DogtagRABackend forwards enrollment requests to the Intermediate CA REST API
TLS certificates for the RA containers are signed by the Intermediate CA using the caServerCert profile
All certificates issued via EST are managed by the Intermediate CA -- revocation targets the Intermediate CA container, not the EST RA
No LDAP backend is needed for the RA

Multi-PKI EST Endpoints

Each PKI hierarchy has its own EST RA on a dedicated port:

PKI Type	Container	Port	Network
RSA-4096	`dogtag-est-ca`	8447	172.26.0.0/24
ECC P-384	`dogtag-ecc-est-ca`	8466	172.28.0.0/24
ML-DSA-87	`dogtag-pq-est-ca`	8456	172.27.0.0/24

EST Endpoints

All endpoints follow the /.well-known/est/ URI prefix as defined in RFC 7030.

RSA-4096 (Port 8447)

Operation	URL
CA Certs	`https://est-ca.cert-lab.local:8447/.well-known/est/cacerts`
Simple Enroll	`https://est-ca.cert-lab.local:8447/.well-known/est/simpleenroll`
Simple Re-enroll	`https://est-ca.cert-lab.local:8447/.well-known/est/simplereenroll`

ECC P-384 (Port 8466)

Operation	URL
CA Certs	`https://ecc-est-ca.cert-lab.local:8466/.well-known/est/cacerts`
Simple Enroll	`https://ecc-est-ca.cert-lab.local:8466/.well-known/est/simpleenroll`
Simple Re-enroll	`https://ecc-est-ca.cert-lab.local:8466/.well-known/est/simplereenroll`

ML-DSA-87 (Port 8456)

Operation	URL
CA Certs	`https://pq-est-ca.cert-lab.local:8456/.well-known/est/cacerts`
Simple Enroll	`https://pq-est-ca.cert-lab.local:8456/.well-known/est/simpleenroll`
Simple Re-enroll	`https://pq-est-ca.cert-lab.local:8456/.well-known/est/simplereenroll`

CLI Commands

Get CA Certificates

Retrieve the CA certificate chain from the EST endpoint:

# RSA PKI (default)
lab est-cacerts

# ECC PKI
lab est-cacerts --pki-type ecc

# Post-quantum PKI
lab est-cacerts --pki-type pqc

Enroll for a Certificate

Request a new certificate via EST simple enrollment:

# Enroll with RSA PKI
lab est-enroll --cn device01.cert-lab.local --pki-type rsa

# Enroll with ECC PKI
lab est-enroll --cn device01.cert-lab.local --pki-type ecc

# Enroll with post-quantum PKI
lab est-enroll --cn device01.cert-lab.local --pki-type pqc

Re-enroll (Certificate Renewal)

Renew an existing certificate using the current certificate for authentication:

lab est-reenroll --cn device01.cert-lab.local --pki-type rsa

EST Enrollment Flow

1. Client generates private key
2. Client creates CSR (PKCS#10)
3. Client sends CSR to EST RA via HTTPS POST to /simpleenroll
4. EST RA validates the request
5. EST RA forwards CSR to Intermediate CA via REST API
6. Intermediate CA signs the certificate
7. EST RA returns PKCS#7 response (CMS/application/pkcs7-mime)
8. Client extracts certificate from PKCS#7 envelope

PKCS#7 Response Handling

EST endpoints return certificates wrapped in PKCS#7 (CMS) format as required by RFC 7030. The lab CLI handles the PKCS#7 extraction automatically. For manual processing:

# Extract certificate from PKCS#7 DER response
openssl pkcs7 -inform DER -in response.p7b -print_certs -out cert.pem

# Or from base64-encoded PKCS#7
openssl pkcs7 -inform PEM -in response.p7b -print_certs -out cert.pem

# Verify the extracted certificate
openssl x509 -in cert.pem -noout -subject -issuer -serial

The serial number from the extracted certificate can be used for status checks and revocation. Remember that serial numbers need the 0x prefix when used with the Dogtag REST API or pki-cli.py.

IoT Client EST-First Enrollment

The IoT Client container uses an EST-first enrollment strategy:

Attempt certificate enrollment via EST (/.well-known/est/simpleenroll)
If EST is unavailable, fall back to Dogtag REST API direct enrollment
Store the certificate and private key for device identity

This strategy ensures IoT devices can obtain certificates even if the EST RA is temporarily unavailable, while preferring the standards-based EST protocol when available.

IoT Client
    │
    ├──(1) Try EST simpleenroll ──> EST RA ──> Intermediate CA
    │        ↓ (if unavailable)
    └──(2) Fall back to REST API ──> IoT CA (direct)

Revocation of EST-Issued Certificates

Since EST-issued certificates are managed by the Intermediate CA, revocation must target the Intermediate CA -- not the EST RA container:

# Revoke an EST-issued certificate
./scripts/pki-cli.py revoke 0x1a2b3c --ca intermediate --reason key_compromise

# Verify revocation
./scripts/pki-cli.py status 0x1a2b3c --ca intermediate

In automated event-driven revocation, the EDA rulebook routes EST-related events to the Intermediate CA by setting ca_level: "intermediate" in the rule's extra_vars. See Certificate Revocation for details.

Manual EST Request with curl

# Get CA certificates
curl -sk https://est-ca.cert-lab.local:8447/.well-known/est/cacerts \
  -o cacerts.p7b

# Simple enrollment (submit a PKCS#10 CSR)
curl -sk https://est-ca.cert-lab.local:8447/.well-known/est/simpleenroll \
  -X POST \
  -H "Content-Type: application/pkcs10" \
  -H "Content-Transfer-Encoding: base64" \
  --data-binary @request.csr.b64 \
  -o cert.p7b

# Decode the PKCS#7 response
openssl pkcs7 -inform DER -in cert.p7b -print_certs -out cert.pem

Troubleshooting

Issue	Cause	Solution
EST RA returns 503	Intermediate CA not ready	Wait for Intermediate CA healthcheck to pass
PKCS#7 decode fails	Response is base64-encoded	Use `-inform PEM` instead of `-inform DER`
Certificate not found on revocation	Looking at wrong CA	EST certs are on the Intermediate CA, not the EST RA
TLS handshake failure	CA chain not trusted	Use `lab est-cacerts` to get the trust chain first

Related Pages

Certificate Issuance -- Other issuance methods (REST API, Ansible)
Certificate Revocation -- Revoking EST-issued certificates
ACME Protocol -- Alternative automated issuance via ACME
Event Flow -- Event-driven revocation pipeline

Home

Getting Started

Architecture

PKI Operations

Security & Compliance

Operations & Testing

Key & HSM Management

Monitoring

Advanced Topics

EST Protocol

EST Protocol (RFC 7030)

Overview

Architecture

Multi-PKI EST Endpoints

EST Endpoints

RSA-4096 (Port 8447)

ECC P-384 (Port 8466)

ML-DSA-87 (Port 8456)

CLI Commands

Get CA Certificates

Enroll for a Certificate

Re-enroll (Certificate Renewal)

EST Enrollment Flow

PKCS#7 Response Handling

IoT Client EST-First Enrollment

Revocation of EST-Issued Certificates

Manual EST Request with curl

Troubleshooting

Related Pages

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally