forked from cisco/libest
-
Notifications
You must be signed in to change notification settings - Fork 1
Certificate Enrollment with libEST
Marco Fargetta edited this page Jan 17, 2025
·
3 revisions
This page describes the certificate enrollment process using libEST that is installed locally.
$ dnf copr enable @pki/libest $ dnf install libest
To get the CA certificate chain:
$ curl -o cacert.p7 -k https://pki.example.com:8443/.well-known/est/cacerts
To convert the certificate chain into DER format:
$ openssl base64 -d --in cacert.p7 --out cacert.p7.der
To convert the DER certificate chain into PEM certificates:
$ openssl pkcs7 --in cacert.p7.der -inform DER -print_certs -out cacert.pem
To inspect the certificates:
$ openssl x509 -in cacert.pem -text -noout
To enroll a certificate:
$ EST_OPENSSL_CACERT=cacert.pem estclient \
-e \
-s pki.example.com \
-p 8443 \
--common-name client.example.com \
-o . \
-u <username> \
-h <password>
The certificate chain will be stored in cert-0-0.pkcs7.
To convert the certificate chain into DER format:
$ openssl base64 -d --in cert-0-0.pkcs7 --out cert-0-0.pkcs7.der
To convert the DER certificate chain into PEM certificates:
$ openssl pkcs7 -in cert-0-0.pkcs7.der -inform DER -print_certs -out cert.pem
To inspect the certificates:
$ openssl x509 -in cert.pem -text -noout
To authenticate the client to EST server using a certificate (to be configured in the realm), the enrollment command is:
$ EST_OPENSSL_CACERT=cacert.pem estclient \
-e \
-s pki.example.com \
-p 8443 \
--common-name client.example.com \
-o . \
-c cert.pem \
-k key.pem