Nexus Documentation

Space shortcuts

Page tree

Nexus' software components have new names:

Nexus PRIME -> Smart ID Identity Manager
Nexus Certificate Manager -> Smart ID Certificate Manager
Nexus Hybrid Access Gateway -> Smart ID Digital Access component
Nexus Personal -> Smart ID clients

Go to Nexus homepage for overviews of Nexus' solutions, customer cases, news and more.

This article describes a configuration example of the EST protocol in Protocol Gateway

The Enrollment over Secure Transport (EST) is a cryptographic protocol that describes an X.509 certificate management protocol targeting Public Key Infrastructure (PKI) clients that need to acquire key pairs, client certificates and associated Certification Authority (CA) certificates over https. Example of functions are initial certificate enrollment, certificate renewal, and CA rollover. EST is defined in RFC 7030.

Expand/Collapse All

Prerequisites

The following prerequisites apply:

Step-by-step instruction

Configure EST in Protocol Gateway

Create a certificate procedure for EST, see Create certificate procedure in Certificate Manager:

  1. Set Procedure name to Protocol Gateway EST Certificate.  
  2. In Issuing CA, select Device Issuing CA
  3. In Certificate format, select estenroll
  4. In Extended key usage, add TLS Server Authentication and TLS Client Authentication.  

Create a token procedure for EST, see Create token procedure in Certificate Manager:

  1. Set Procedure name to EST Registration and Enroll Procedure
  2. In Storage profile, select PKCS10
  3. In Certificate procedures, select the certificate procedure you just created, that is Protocol Gateway EST Certificate
  4. In Input view, select GPIV 15 - Save and Search EST Enrollment Registrations

Clone the certificate procedure Protocol Gateway EST Certificate, and modify the new certificate procedure as follows: 

  1. Set Procedure name to Protocol Gateway EST simpleenroll.  
  2. In Certificate format, select rfc5280.   

Create a token procedure for EST, see Create token procedure in Certificate Manager:

  1. Set Procedure name to EST simpleenroll Procedure
  2. In Storage profile, select PKCS10
  3. In Certificate procedures, select the certificate procedure you just created, that is Protocol Gateway EST simpleenroll
  4. In Input view, select GPIV 15 - Save and Search EST Enrollment Registrations

In this example, simpleenroll is configured to use basic authentication to receive the first certificate and then to use that certificate to request a renewal with simplereenroll.

The est.properties file contains the configuration parameters used by the EST servlet. For more information, see est.properties.

To set the properties for EST: 

  1. Open \Nexus\cm-gateway\conf\est.properties for editing.
  2. Modify the following properties: 
    1. Enable EST by setting start to true
    2. Set default.tokenprocedure to EST Registration and Enroll Procedure.
    3. Configure handler.1 and handler.2 as follows: 
      1. Comment out handler.1.requiredRoRoles.
      2. Set handler.1.authtype to Basic.
      3. Set handler.2.tokenprocedure to the simpleenroll procedure you have created, EST simpleenroll Procedure

      4. Set handler.2.requiredRoRoles to none

        For more information on how to configure verifications of certificate requests in .properties files, see Certificate request verifications in Protocol Gateway.

  3. If needed, scramble sensitive parameters in the configuration file. See Scramble sensitive data in configuration files in Protocol Gateway.
  4. Save the file.  
Example: est.properties
start = true
default.format = est-simpleenroll
default.tokenprocedure = EST Registration and Enroll Procedure

# Define handlers
# Each EST endpoint requires its own handler

handler.0.filter = cacerts

handler.1.filter = simpleenroll
handler.1.format = est-simpleenroll
# handler.1.requiredRoRoles = cert.issue
handler.1.authtype = Basic

handler.2.filter = simplereenroll
handler.2.format = est-simplereenroll
handler.2.tokenprocedure = EST simplereenroll Procedure
handler.2.requiredRoRoles = none
  1. Restart the Tomcat service. 

Test EST protocol with Nexus test client

To configure the EST test client: 

  1. Open the file com.nexussafe.cm.test.app.ESTClient.properties for editing: 
  2. Comment out handlerInfo.0.port = 8444.
  3. Configure PKCS#10:
    1. Set p10.subject to cn=EST 169676786786, with any serial number.  
    2. Set p10.dns to EST 169676786786, with the same serial number as above  
    3. Comment out p10.email.

Register a wildcard EST device for testing: 

  1. In Registration Authority (RA) in Certificate Manager, go to the Order tab. 
  2. In Procedure, select EST Registration and Enroll Procedure.
  3. Register a wildcard FQDN, by entering the following details:
    1. In Commonname, enter *.
    2. In Username, enter test.
    3. In Realm, enter EST.
    4. In Password, select a password, that shall be used in the simpleenroll process later.  
    5. In Validity time (days), enter the number of days that the registration shall be valid. 
    6. In State, select Open.  

To verify the EST setup with the EST Test client: 

  1. In the command prompt, start an interactive session, by typing the command: 

    Example: Start EST Test client
    java –jar testtools.jar ESTClientHttp interactive

  2. Verify that the issuing CA certificates can be fetched, by using the cacerts command. The default URL https://cm.local:8443/pgwy/.well-known/est/cacerts, will be used by the EST client to obtain CA certificates. Protocol Gateway will automatically send the CA certificate for the token procedure set in default.tokenprocedure.

    1. Run the following command and verify that the response code is 200:

      cacerts

      Since Protocol Gateway is delivered as a web application, it is normally placed in the subpath /pgwy/ by Tomcat. This can be configured in Tomcat. FOr more information, see EST URI configuration.

  3. Verify that a certificate can be issued by the simpleenroll command. The simpleenroll process is configured with basic authentication, so we can request the first certificate. The URL https://cm.local:8443/pgwy/.well-known/est/simpleenroll will be used by an EST client to obtain a certificate from a P10 request. Run the following commands: 

    1. Turn off client authentication: 

      toggleclientauth

    2. Set the password for basic authentication, to match the configured password in the registration: 

      setbasicauthentication user:pass 

    3. Request a certificate, by using basic authentication: 

      simpleenroll
    4. Verify that a certificate is issued. 
  4. Verify that a certificate can be issued by the simplereenroll commands. The URL https://cm.local:8443/pgwy/.well-known/est/simplereenroll will be used by an EST client to renew its certificate. Protocol Gateway will check that the subject contained in the request is the same than the subject of the authentication certificate (in fact the same commonname). This means that to use this function, the clients require certificates with the extended key usage Client Authentication. Run the following commands: 

    1. Use the latest received certificate for authentication:

      switchsslcredentials

    2. Turn client authentication back on: 

      toggleclientauth

    3. Request a certificate, by using client authentication: 

      simplereenroll

    4. Verify that a certificate is issued.
      If the hostame is not the same the error will be

      Result: Could not verify that certificate request was for renewing an existing subject

Related information 


Contact Nexus

(For feedback on product documentation: Select Reason for contact: Feedback on documentation.)

© 2023 Technology Nexus Secured Business Solutions AB. All rights reserved.
Disclaimer | Terms & Conditions.