Skip to content

CA handler using EST protocol

grindsa edited this page Oct 10, 2020 · 8 revisions

Generic EST protocol handler

The EST protocol handler is not bound to a specific CA and implements the 'cacerts' and 'simpleenroll' calls as defined in RFC7030.

Wwhen using the handler please be aware of the following limitations:

The handler has been tested with the following EST implementation:

When using the Cisco test server make sure that the csr generated by your acme-client has a valid common-name. So enrollment by using cert-bot is unfortunately not possible.

Pre-requisites

  • Certificate and key (in PEM format) used to authenticate acme2certifier towards EST server.
  • CA certificate(s) in pem format allowing to validate the certificate presented by the EST server. The CA certificates must be bundled into a single chain file as described in RFC5246 section 7.4.2

Installation and Configuration

  • copy the ca_handler into the acme directory
root@rlh:~# cp example/est_ca_handler.py acme/ca_handler.py
  • modify the server configuration (/acme/acme_srv.cfg) and add the following parameters
[CAhandler]
est_host: https://<ip>:<port>
est_client_key: <filename>
est_client_cert: <filename>
est_user: <user_name>
est_password: <password>
ca_bundle: <filename>
  • est_host - URL of the est server service
  • est_client_key - Private key of the certificate used for TLS client-auth (acme/est/est.key.pem)
  • est_client_cert - Certificate used for TLS client-auth (acme/est/est.crt.pem)
  • est_user - username for HTTP basic Authentication
  • est_password - password for HTTP basic Authentication
  • ca_bundle - CA certificate bundle needed to valiate the EST server certificate (acme/est/ca_bundle.pem). Setting to False disables the certificate check

Important: TLSClientAuth and HTTP basic authentication cannot be combined with each other

Below is the ca_bundle needed to interwork with EST reference implementation from Cisco

subject=CN = estExampleCA

issuer=CN = estExampleCA

-----BEGIN CERTIFICATE-----
MIIBUjCB+qADAgECAgkAsOsMO552gHQwCgYIKoZIzj0EAwIwFzEVMBMGA1UEAxMM
ZXN0RXhhbXBsZUNBMB4XDTE5MDgwOTIwMjUzOFoXDTI5MDgwNjIwMjUzOFowFzEV
MBMGA1UEAxMMZXN0RXhhbXBsZUNBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
e/4TlZtkyUP7v6F8GHdJLzjQvwahFDBj0L/oPfxf00oDHya5wsU2wT0cV7L70hPD
1n4dxhG/1JYX2UK10zflqKMvMC0wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQU2f8O
cSG4J8B3LPU203cyUF2DQCEwCgYIKoZIzj0EAwIDRwAwRAIgTgMXKl86lcQr3mTo
2uXbSZt8had163ft+9LBCqoxHiICIAfzhrTBBKSUxZQDeGIahr4OLQlS7GeSNGK1
ey5tEG+Z
-----END CERTIFICATE-----
Clone this wiki locally