Example: EST configuration in Protocol Gateway
This article describes a configuration example of the EST protocol in Protocol Gateway.
The Enrollment over Secure Transport (EST) is a cryptographic protocol that describes an X.509 certificate management protocol targeting Public Key Infrastructure (PKI) clients that need to acquire key pairs, client certificates and associated Certification Authority (CA) certificates over https. Example of functions are initial certificate enrollment, certificate renewal, and CA rollover. EST is defined in RFC 7030.
Prerequisites
Protocol Gateway must be installed. See Install Protocol Gateway.
Initial configuration of Protocol Gateway must be done. See Initial configuration of Protocol Gateway.
Tomcat must be configured for TLS client authentication. See Configure Tomcat for TLS client authentication in Protocol Gateway.
Configure EST in Protocol Gateway
Create EST certificate procedure
Create a certificate procedure for EST, see Create certificate procedure in Certificate Manager:
Set Procedure name to Protocol Gateway EST Certificate.
In Issuing CA, select Device Issuing CA.
In Certificate format, select estenroll.
In Extended key usage, add TLS Server Authentication and TLS Client Authentication.
Create EST token procedure
Create a token procedure for EST, see Create token procedure in Certificate Manager:
Set Procedure name to EST Registration and Enroll Procedure.
In Storage profile, select PKCS10.
In Certificate procedures, select the certificate procedure you just created, that is Protocol Gateway EST Certificate.
In Input view, select GPIV 15 - Save and Search EST Enrollment Registrations.
Create EST certificate procedure for simpleenroll
Clone the certificate procedure Protocol Gateway EST Certificate, and modify the new certificate procedure as follows:
Set Procedure name to Protocol Gateway EST simpleenroll.
In Certificate format, select rfc5280.
Create EST token procedure for simpleenroll
Create a token procedure for EST, see Create token procedure in Certificate Manager:
Set Procedure name to EST simpleenroll Procedure.
In Storage profile, select PKCS10.
In Certificate procedures, select the certificate procedure you just created, that is Protocol Gateway EST simpleenroll.
In Input view, select GPIV 15 - Save and Search EST Enrollment Registrations.
Set EST properties
In this example, simpleenroll
is configured to use basic authentication to receive the first certificate and then to use that certificate to request a renewal with simplereenroll
.
The est.properties file contains the configuration parameters used by the EST servlet. For more information, see est.properties.
To set the properties for EST:
Open \Nexus\cm-gateway\conf\est.properties for editing.
Modify the following properties:
Enable EST by setting
start
totrue
.Set
default.tokenprocedure
toEST Registration and Enroll Procedure
.Configure
handler.1
andhandler.2
as follows:Comment out
handler.1.requiredRoRoles
.Set
handler.1.authtype
toBasic
.Set
handler.2.tokenprocedure
to the simpleenroll procedure you have created,EST simpleenroll Procedure
.Set
handler.2.requiredRoRoles
tonone
.
For more information on how to configure verifications of certificate requests in .properties files, see Certificate request verifications in Protocol Gateway.
If needed, scramble sensitive parameters in the configuration file. See Scramble sensitive data in configuration files in Protocol Gateway.
Save the file.
Example: est.properties
start = true
default.format = est-simpleenroll
default.tokenprocedure = EST Registration and Enroll Procedure
# Define handlers
# Each EST endpoint requires its own handler
handler.0.filter = cacerts
handler.1.filter = simpleenroll
handler.1.format = est-simpleenroll
# handler.1.requiredRoRoles = cert.issue
handler.1.authtype = Basic
handler.2.filter = simplereenroll
handler.2.format = est-simplereenroll
handler.2.tokenprocedure = EST simplereenroll Procedure
handler.2.requiredRoRoles = none
Restart Tomcat
Restart the Tomcat service.
Test EST protocol with Nexus test client
Configure EST test client
To configure the EST test client:
Open the file com.nexussafe.cm.test.app.ESTClient.properties for editing:
Comment out
handlerInfo.0.port = 8444
.Configure PKCS#10:
Set
p10.subject
tocn=EST 169676786786
, with any serial number.Set
p10.dns
toEST 169676786786
, with the same serial number as aboveComment out
p10.email
.
Register demo EST device
Register a wildcard EST device for testing:
In Registration Authority (RA) in Certificate Manager, go to the Order tab.
In Procedure, select EST Registration and Enroll Procedure.
Register a wildcard FQDN, by entering the following details:
In Commonname, enter *.
In Username, enter test.
In Realm, enter EST.
In Password, select a password, that shall be used in the
simpleenroll
process later.In Validity time (days), enter the number of days that the registration shall be valid.
In State, select Open.
Verify EST with Test client
To verify the EST setup with the EST Test client:
In the command prompt, start an interactive session, by typing the command:
Example: Start EST Test client
CODEjava –jar testtools.jar ESTClientHttp interactive
Verify that the issuing CA certificates can be fetched, by using the
cacerts
command. The default URL https://cm.local:8443/pgwy/.well-known/est/cacerts, will be used by the EST client to obtain CA certificates. Protocol Gateway will automatically send the CA certificate for the token procedure set indefault.tokenprocedure
.Run the following command and verify that the response code is
200
:CODEcacerts
Note: Since Protocol Gateway is delivered as a web application, it is normally placed in the subpath /pgwy/ by Tomcat. This can be configured in Tomcat. FOr more information, see EST URI configuration
Verify that a certificate can be issued by the
simpleenroll
command. Thesimpleenroll
process is configured withbasic
authentication, so we can request the first certificate. The URL https://cm.local:8443/pgwy/.well-known/est/simpleenroll will be used by an EST client to obtain a certificate from a P10 request. Run the following commands:Turn off client authentication:
CODEtoggleclientauth
Set the password for basic authentication, to match the configured password in the registration:
CODEsetbasicauthentication user:pass
Request a certificate, by using basic authentication:
CODEsimpleenroll
Verify that a certificate is issued.
Verify that a certificate can be issued by the
simplereenroll
commands. The URL https://cm.local:8443/pgwy/.well-known/est/simplereenroll will be used by an EST client to renew its certificate. Protocol Gateway will check that the subject contained in the request is the same than the subject of the authentication certificate (in fact the samecommonname
). This means that to use this function, the clients require certificates with the extended key usage Client Authentication. Run the following commands:Use the latest received certificate for authentication:
CODEswitchsslcredentials
Turn client authentication back on:
CODEtoggleclientauth
Request a certificate, by using client authentication:
CODEsimplereenroll
Verify that a certificate is issued.
If the hostame is not the same the error will beCODEResult: Could not verify that certificate request was for renewing an existing subject