EST over CoAPs support in Certificate Manager
EST CoAP unsupported for 8.9.0
With the release of Certificate Manager 8.9.0, EST CoAP is temporarily unsupported.
EST over secure CoAP (EST-coaps) is a protocol that can be used for secure bootstrapping and certificate enrollment to low-resource devices. Constrained devices can be battery powered and unattended for years, supporting DTLS, 6LoWPAN; IPv6 over IEEE 802.15.4 based networks. Contiki NG OS based devices is an example of clients that can use EST over coaps.
In Protocol Gateway, there is a CoAP Proxy bundled with the EST service, to allow constrained devices to request certificates over CoAP instead of HTTP. This proxy is powered by the open-source Eclipse project Californium and can be enabled and configured in coap.properties. For general information on EST over CoAPs, see Internet draft - EST over secure CoAP (EST-coaps).
The CoAP proxy consumes CoAP(s) requests and forwards them as HTTP requests to the EST service using TLS client authentication with the officer configured in cm-gateway.properties. For more information, see Initial configuration of Protocol Gateway. The original client certificate is forwarded as well, to ensure that the client is authorized for reenrollment.
The CoAP proxy does not support /fullcmc
.
The CoAP proxy fetches all open CA certificates from CM at startup and uses them as its truststore. In the current implementation there is a limitation that the CoAP proxy does not allow multiple CA certificates to have the same subject.
The Datagram Transport Layer Security (DTLS) server certificate, that is needed for CoAPs and configured with the parameter tlsToken, must include the extended key usage Server Authentication.