Authentication and preregistration for EST
This article is valid for Certificate Manager 8.4 and later.
Security in EST is handled through client certificate authentication. HTTP-based authentication as client authentication is only supported if the device has been pre-registered by an administrator and the communication occurs over TLS. For more information, see Device preregistration for automated enrollment.
HTTP Basic or Digest Authentication can also be implemented directly in the Tomcat instance, but then Protocol Gateway still requires a valid client certificate to issue any certificate to the device.
Instead of the intermediate RA being assigned with an RA certificate, it can use a certificate that has a CM officer role. Therefore, the extension id-kp-cmcRA
, has been left out.
Certificate verification in simpleenroll
The EST endpoint /simplereenroll
uses a format that checks that the PKCS#10 request is for the same subject as the used client certificate. This means that to use this function, the clients require certificates with the extended key usage Client Authentication. Protocol Gateway also verifies that the client certificate has not been revoked.
For a configuration example, see Example: EST configuration in Protocol Gateway.
Match last issued certificate
The /simplereenroll
endpoint can also be configured to require that the used client TLS certificate matches the last issued certificate for the requested subject. To enable this, set allowRenewalWithOldCertificates to 'true' in the configuration file est.properties.
If
dNSName
andiPAddress
is not set in the PKCS#10 request to an EST enrollment endpoint, they will be set by copying fromunstructuredName/commonName
andunstructuredAddress
.If
commonName
is not set in the PKCS#10 request it will be set by copying fromdNSName
.
EST with authentication certificates
The /simpleenroll
endpoint can be set up to require a preregistered authentication/factory certificate matched to the commonname of the incoming request.
To configure this requirement, set the following fields on the certificate procedure connected to the token procedure of the configured simpleenroll handler:
Certificate format:
estenroll
Custom format fields:
enroll.use-authentication-cert
= trueenroll.mandatorypassword
= falseenroll.check-subject-values
= true
You add Custom format fields using the advanced button next to the certformat when modifying a certificate procedure.
Manual authorization for EST using IDM
The /simpleenroll
endpoint can be set up to require manual authorization using Smart ID Identity Manager [IDM]. In this case, an Identity Manager Operator must approve the request before a certificate is issued.
This is an example of a handler configuration:
Example: Handler configuration
handler.<n>.filter = registersimpleenroll-basic-idm-auth
handler.<n>.format = est-simpleenroll-idm
handler.<n>.tokenprocedure = EST Registration and Enroll Procedure
handler.<n>.authtype = Basic
handler.<n>.realm = EST Realm
handler.<n>.idm.requestUrl = https://localhost:8443/idm/ws/processes/...
handler.<n>.idm.tls.token = protocol-gateway-ra.p12
handler.<n>.idm.tls.password = abcd1234
challengePassword attribute not supported
The EST specification describes a tls-unique
attribute that can be used as a challengePassword
inside the request after connecting, proving that the client has access to the private key at the time of the request.
Protocol Gateway does not support this attribute and the default behavior is to deny all requests containing the challengePassword
attribute.