EST Protocol Integration

This section details the API endpoints for the Enrollment over Secure Transport (EST) protocol implementation. EST is a client-server protocol for certificate enrollment, re-enrollment, and CA certificate distribution, primarily used by devices and applications to securely obtain and manage their digital certificates. This integration is crucial for automated device provisioning and management, especially in enterprise environments.

Key Functionalities

Well-Known Discovery

  • Endpoint: GET /.well-known/est (or GET /api/v1/est/.well-known/est)
  • Description: Provides the standard EST discovery endpoint as defined in RFC 7030. Clients use this endpoint to discover the EST server's capabilities and the URLs for various EST operations.
  • Response: Returns a JSON object listing the EST server's base URL, available operations (cacerts, simpleenroll, simplereenroll, csrattrs, etc.), and capabilities (e.g., tls_client_auth, http_basic_auth).

Handle EST Operations

  • Endpoint: GET/POST /api/v1/est/{operation}
  • Description: A central endpoint that handles various EST operations based on the {operation} path parameter.
  • Supported Operations:
    • cacerts: Distribution of CA certificates.
    • simpleenroll: Simple certificate enrollment (initial certificate request).
    • simplereenroll: Simple certificate re-enrollment (renewal of an existing certificate).
    • csrattrs: Retrieval of CSR attributes.
    • serverkeygen: Server-side key generation (not currently implemented).
    • fullcmc: Full CMC (Certificate Management over CMS) enrollment (not currently implemented).
  • Authentication: Operations like simpleenroll and simplereenroll require client authentication, which can be performed via TLS client certificates (SSL_CLIENT_CERT) or HTTP Basic Authentication.
  • CSR Handling: For POST operations (enrollment/re-enrollment), the endpoint processes Certificate Signing Requests (CSRs) provided in the request body. It supports various formats, including PKCS#10, PKCS#7, PEM, and DER.
  • Response: Returns the appropriate certificate or data in the specified content type (e.g., application/pkcs7-mime for certificates) with relevant HTTP status codes.

Service Information

  • Endpoint: GET /api/v1/est/info
  • Description: Provides detailed information about the EST service, including its version, status, supported operations, authentication methods, security features, and compatibility with mobile device management (MDM) solutions.
  • Compatibility: Explicitly states compatibility with Microsoft Intune, iOS MDM, and Android Enterprise.
  • Statistics: Includes basic statistics like the EST CA used, certificates issued, and renewals processed.

Health Check

  • Endpoint: GET /api/v1/est/health
  • Description: Provides a health status check for the EST service, indicating its operational state.

Get Configuration

  • Endpoint: GET /api/v1/est/configuration
  • Description: Retrieves detailed configuration settings for the EST service, including supported operations, content types, and setup instructions for platforms like Microsoft Intune.
  • Access Control: This endpoint is restricted to authenticated users or when the application is in debug mode, ensuring sensitive configuration details are not publicly exposed.
  • Example Commands: Provides example curl commands for interacting with the EST endpoints.

Inferred Specifications

  • RFC 7030 Compliance: The system fully implements the Enrollment over Secure Transport (EST) protocol as defined in RFC 7030, ensuring interoperability with standard EST clients.
  • Automated Certificate Lifecycle Management: EST integration enables automated enrollment and re-enrollment of certificates for devices and applications, reducing manual overhead.
  • Strong Client Authentication: Requires robust client authentication (TLS client certificates or HTTP Basic Auth) for sensitive operations, ensuring that only authorized entities can request certificates.
  • Flexible CSR Format Support: The API can process CSRs in multiple industry-standard formats, accommodating diverse client implementations.
  • MDM Integration: Explicitly designed for compatibility with leading Mobile Device Management (MDM) solutions like Microsoft Intune, iOS MDM, and Android Enterprise, facilitating large-scale device provisioning.
  • Comprehensive Service Metadata: Provides rich metadata about the EST service's capabilities, security features, and compliance, aiding in client integration and auditing.
  • Secure Configuration Access: Sensitive EST configuration details are protected, accessible only under controlled conditions.
  • Audit Logging: All EST operations and significant events are logged for security, compliance, and troubleshooting purposes (implied by the EstService and overall system design).

Vous n'avez pas envie de la manager ?

Découvrir notre offre PKI As A Service