Certificate enrollment via EST protocol

As part of Trust Protection Platform, the Enrollment over Secure Transport (EST) service handles certificate enrollment and re-enrollment requests from clients that use the EST protocol.

An EST client, such as a network device, can perform the following functions:

  • Retrieve the certificate of the issuing Certificate Authority and its chain
  • Initiate an initial certificate enrollment
  • Initiate certificate re-enrollment (renewal)

For example, a network device (EST client) initiates enrollment requests to the EST service. The EST service verifies that the client is authenticated, then a certificate object is created and marked to be processed. The EST service acts as an intermediary registration authority (RA) to the CA that signs certificates. After the CA signs the certificate, Trust Protection Platform retrieves the certificate from the CA, then returns the certificate to the EST device.

When initiating a request, the EST client must provide the correct EST URL. If only one CA service is used, the URL is similar to http://tpp.example.com/.well-known/est. For multiple CAs and CA templates, the EST client sends the base URL plus a CA Label string, http://tpp.example.com/.well-known/est/network-device (network-device is the CA Label). The CA Label can be configured in the membership criteria for each Group.