Skip to main content
Skip table of contents

Authentication and preregistration for EST

This article is valid for Certificate Manager 8.4 and later.

Security in EST is handled through client certificate authentication. HTTP-based authentication as client authentication is only supported if the device has been pre-registered by an administrator and the communication occurs over TLS. For more information, see Device preregistration for automated enrollment.

HTTP Basic or Digest Authentication can also be implemented directly in the Tomcat instance, but then Protocol Gateway still requires a valid client certificate to issue any certificate to the device.

Instead of the intermediate RA being assigned with an RA certificate, it can use a certificate that has a CM officer role. Therefore, the extension id-kp-cmcRA, has been left out. 

Certificate verification in simpleenroll

The EST endpoint /simplereenroll uses a format that checks that the PKCS#10 request is for the same subject as the used client certificate. This means that to use this function, the clients require certificates with the extended key usage Client Authentication. Protocol Gateway also verifies that the client certificate has not been revoked. 

For a configuration example, see Example: EST configuration in Protocol Gateway.

Match last issued certificate

The /simplereenroll endpoint can also be configured to require that the used client TLS certificate matches the last issued certificate for the requested subject. To enable this, set allowRenewalWithOldCertificates to 'true' in the configuration file est.properties

  • If dNSName and iPAddress is not set in the PKCS#10 request to an EST enrollment endpoint, they will be set by copying from unstructuredName/commonName and unstructuredAddress.

  • If commonName is not set in the PKCS#10 request it will be set by copying from dNSName.

EST with authentication certificates

The /simpleenroll endpoint can be set up to require a preregistered authentication/factory certificate matched to the commonname of the incoming request.

To configure this requirement, set the following fields on the certificate procedure connected to the token procedure of the configured simpleenroll handler:

  • Certificate format: estenroll

  • Custom format fields:

    • enroll.use-authentication-cert = true

    • enroll.mandatorypassword = false

    • enroll.check-subject-values = true

You add Custom format fields using the advanced button next to the certformat when modifying a certificate procedure.

Manual authorization for EST using IDM

The /simpleenroll endpoint can be set up to require manual authorization using Smart ID Identity Manager [IDM]. In this case, an Identity Manager Operator must approve the request before a certificate is issued.

This is an example of a handler configuration:

Example: Handler configuration
CODE
handler.<n>.filter = registersimpleenroll-basic-idm-auth
handler.<n>.format = est-simpleenroll-idm
handler.<n>.tokenprocedure = EST Registration and Enroll Procedure
handler.<n>.authtype = Basic
handler.<n>.realm = EST Realm
handler.<n>.idm.requestUrl = https://localhost:8443/idm/ws/processes/...
handler.<n>.idm.tls.token = protocol-gateway-ra.p12
handler.<n>.idm.tls.password = abcd1234

challengePassword attribute not supported

The EST specification describes a tls-unique attribute that can be used as a challengePassword inside the request after connecting, proving that the client has access to the private key at the time of the request.

Protocol Gateway does not support this attribute and the default behavior is to deny all requests containing the challengePassword attribute.

Related information


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.