PKI EST

EST (Enrollment over Secure Transport) (RFC 7030) defines the protocol that devices use to request trusted certificate authority (CA) certificates and to enroll / re-enroll device certificates from CA services using secure channels, specifically HTTP over TLS.

Devices can be configured to request the trusted CA certificates and to request enrollment, and re-enrollment of device certificates automatically, without the need for administrator intervention, while maintaining the security and integrity of the whole enrollment process.

The switch includes an EST client implemented as a part of the PKI infrastructure.

NOTE:
For detailed CLI command descriptions see:

EST usage overview

  • 开关上的是客户需要什么profile configuration, including EST server URL and the VRF providing HTTP connection to the EST server.

  • At the time the URL is set in the EST profile, the switch connects to the EST server and downloads the trusted CA certificate chain. To accommodate CA certificate updates, the certificate chain is also downloaded before a certificate enrollment or re-enrollment is attempted.

  • EST supports up to:

    • 16 EST profiles

    • 63 trusted CA certificates downloaded from EST servers.

    • 18 device certificates enrolled through EST services.

  • EST profile configuration is supported through the CLI and the REST APIPKI_EST_Profile.

  • CA certificate request and device certificate enrollment is supported through the CLI and the REST custom APICertificateManager /certificate.

Prerequisites for using EST for certificate enrollment

  • Establish the PKI infrastructure for you organization, with the CA chain and service ready to issue certificates. Issue a service certificate for the EST server.

  • Install the root CA certificate in a TA profile on the switch that will validate the EST server certificate using CLI commands cryptopki ta-profileandta-certificate.

  • Optionally, preconfigure an EST client certificate on the switch.

  • Make the EST server reachable from the switch. Connect the CA service(s) to the EST server. If there is a client certificate for the EST client, install the root CA certificate on the server that will validate the client certificate.

EST profile configuration

In the global configuration context, create an EST profile and enter its context:
crypto pki est-profile
In an EST profile context, configure the EST profile parameters using these commands:
urlvrfusernamepassword [ciphertext| plaintext] retry-intervalretry-countarbitrary-labelarbitrary-label-enrollmentarbitrary-label-reenrollmentreenrollment-lead-time

Certificate enrollment

In the global configuration context, create a certificate and enter its context:
crypto pki certificate
In a certificate configuration context, configure the certificate parameters:
key-type {rsa [key-size] | ecdsa [curve-size]} subject [common-name] [country] [locality] [org] [org-unit] [state]
In a certificate configuration context, enroll the certificate using an EST service:
enroll est-profile

Certificate re-enrollment

  • The re-enrollment request is sent automatically to the same EST server that was used for the original enrollment.

  • 介绍了c的开关ertificate being re-enrolled to the EST server for authentication. If the certificate has expired or authentication fails for any reason, the switch falls back to using the EST client certificate or the username and password in the EST profile, whichever is configured, and performs a new certificate enrollment.

  • Re-enrollment lead-time is configurable in the EST profile using CLI commandreenrollment-lead-time. It sets the number of days before certificate expiry date that certificate re-enrollment will be initiated.

Checking EST profile and certificate configuration

Show the list of EST profiles or details of a specific EST profile:
show crypto pki est-profile []
Show a list of TA profiles whether directly configured or EST-enrolled, or details of a specific TA profile:
show crypto pki ta-profile []
Show the list of certificates whether directly configured or EST-enrolled, or details of a specific certificate:
show crypto pki certificate [[plaintext | pem]]
Show all certificates assigned to the switch EST client as well as certificates that are assigned to other applications on the switch.:
show crypto pki application

EST best practices

Ensure the following:

  • A time synchronization service is used on both the switch (the EST client) and the EST server.

  • In all CA certificates, theBasic Constraintsfield hasCA设置为true,pathlenis set appropriately, andKey Usageis set withkeyCertSign.

  • In all leaf certificates, theExtended Key Usagefield is set with the appropriate purpose as follows:

    • For server certificates, set withserverAuth. TheKey Usage fieldhas at least one ofdigitalSignature,keyEncipherment, orkeyAgreement.

    • For client certificates, set withclientAuth. TheKey Usage fieldhas at least one ofdigitalSignature, orkeyAgreement.

  • The EST server is configured to include the intermediate issuer CA certificates in the trusted CA certificate chain that the EST server sends to the switch (the EST client) upon request.