Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Generate CSR at runtime #30

Open
Simkiw opened this issue Nov 27, 2023 · 5 comments
Open

Generate CSR at runtime #30

Simkiw opened this issue Nov 27, 2023 · 5 comments
Assignees
@toddgaunt-gs

Comments

@Simkiw
Copy link

Simkiw commented Nov 27, 2023

Hello,

The package implements different APIs of EST protocol.
It expects the CSR to be ready for use, like in the enroll method.

Is it possible to generate the CSR at runtime?
And can we fetch the TLS unique value from the current client implementation?

Typical use-case: include TLS-unique value (in TLS 1.2)
Such as, after establishing the TLS connection between server and client,

  1. the TLS unique value can be retrieved from the client
  2. the TLS unique value can included in the CSR
  3. The CSR can be signed with my private key
  4. Pass the signed CSR to the EST enroll method

Thank you very much
@toddgaunt-gs
Copy link
Collaborator

Hello Simkiw,

We already support generating the CSR in another command, estclient csr which defaults to stdout, which can be used together with estclient enroll to get a certificate issued from an EST server. Does this not suit your use case?

Regards,
Todd Gaunt

@toddgaunt-gs toddgaunt-gs self-assigned this Nov 30, 2023
@61131
Copy link

61131 commented Dec 18, 2023

@toddgaunt-gs - The request for client generation of CSR at run-time based upon tls-unique (TLSv1.2) or tls-exporter (TLSv1.3) is in line with RFC 7030 requirements for linking identity and client proof-of-possession of the CSR private key. See Section 3.5 of RFC 7030 for details. While not mandatory, this functionality is highly useful to ensure the authenticity of the EST request.

@Simkiw
Copy link
Author

Simkiw commented Dec 18, 2023

Exactly @61131

@toddgaunt-gs , I actually looked at the client implementation too.
I have seen no flags for the challenge password, which is supposed to hold the TLS-unique for TLS 1.2 and, I guess tls-exporter for TLS 1.3 (the RFC 7030 has not updated it yet)
And no sign of it in pemfile package as well.

@toddgaunt-gs
Copy link
Collaborator

Thanks for the clarification both of you. This would be useful feature to implement indeed. Since this is meant as an example EST service and we don't use this functionality in our own environment this likely won't be prioritized for implementation, however I'd be happy to accept a PR implementing this functionality and to get another developer and myself to review it.

@Simkiw
Copy link
Author

Simkiw commented Dec 19, 2023

Sure,
I can give myself a shot :)

@mobe1 mobe1 mentioned this issue Feb 27, 2024
Closed
@mobe1 mobe1 mentioned this issue Mar 15, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@toddgaunt-gs toddgaunt-gs

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@61131 @Simkiw @toddgaunt-gs