-
Notifications
You must be signed in to change notification settings - Fork 39
CA handler using EST protocol
grindsa edited this page Aug 16, 2020
·
8 revisions
The EST protocol handler is not bound to a specific CA and implements the 'cacerts' and 'simpleenroll' calls as defined in RFC7030.
Wwhen using the handler please be aware of the following limitations:
- Authentication towards CA server is limited to ClientAuth as described in RFC7030 section 3.3.2
- Revocation operations are not supported
The handler has been tested with the following EST implementation:
- Insta Certifier
- EST reference implementation from Cisco
When using the Cisco test server make sure that the csr generated by your acme-client has a valid common-name. So enrollment by using cert-bot is unfortuately not possible.
- Certificate and key (in PEM format) used to authenticate acme2certifier towards EST server.
- CA certificate(s) in pem format allowing to validate the certificate presented by the EST server. The CA certificates must be bundled into a single chain file as described in RFC5246 section 7.4.2
- copy the ca_handler into the acme directory
root@rlh:~# cp example/est_ca_handler.py acme/ca_handler.py
- modify the server configuration (/acme/acme_srv.cfg) and add the following parameters
[CAhandler]
est_host: https://<ip>:<port>
est_client_key: <filename>
est_client_cert: <filename>
ca_bundle: <filename>
- est_host - URL of the est server service
- est_client_key - Private key of the certificate used for TLS client-auth (acme/est/est.key.pem)
- est_client_cert - Certificate used for TLS client-auth (acme/est/est.crt.pem)
- ca_bundle - CA certificate bundle needed to valiate the EST server certificate (acme/est/ca_bundle.pem)
Below is the ca_bundle needed to interwork with EST reference implementation from Cisco
subject=CN = estExampleCA
issuer=CN = estExampleCA
-----BEGIN CERTIFICATE-----
MIIBUjCB+qADAgECAgkAsOsMO552gHQwCgYIKoZIzj0EAwIwFzEVMBMGA1UEAxMM
ZXN0RXhhbXBsZUNBMB4XDTE5MDgwOTIwMjUzOFoXDTI5MDgwNjIwMjUzOFowFzEV
MBMGA1UEAxMMZXN0RXhhbXBsZUNBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
e/4TlZtkyUP7v6F8GHdJLzjQvwahFDBj0L/oPfxf00oDHya5wsU2wT0cV7L70hPD
1n4dxhG/1JYX2UK10zflqKMvMC0wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQU2f8O
cSG4J8B3LPU203cyUF2DQCEwCgYIKoZIzj0EAwIDRwAwRAIgTgMXKl86lcQr3mTo
2uXbSZt8had163ft+9LBCqoxHiICIAfzhrTBBKSUxZQDeGIahr4OLQlS7GeSNGK1
ey5tEG+Z
-----END CERTIFICATE-----