What is Enrollment Over Secure Transport?

What is enrollment over secure transport?

Enrollment over Secure Transport (EST) is a protocol used for securely obtaining digital certificates, which are often necessary for establishing secure communications, such as in SSL/TLS. Digital certificates are also instrumental in passwordless authentication for networks and applications.  EST is designed to facilitate the automated provisioning of client certificates and is commonly used in environments where devices or clients need to obtain certificates without human intervention.  It is increasing in popularity over SCEP, a similar but older protocol for digital certificate distribution.

What are the key features of enrollment over secure transport? 

  • Secure Communication: EST uses HTTPS (HTTP over SSL/TLS) to ensure that the communication between the client and the Certificate Authority (CA) is encrypted and secure. This protects the certificate enrollment process from eavesdropping and tampering.
  • Certificate Management: EST supports various operations related to certificate management, including:
    • Initial Enrollment: The client requests a new certificate from the CA.
    • Re-enrollment: The client requests a renewal or reissue of its certificate.
    • Certificate Revocation: The client can request the revocation of its certificate if it is compromised or no longer needed.
    • Server-side Key Generation: The CA can generate key pairs on behalf of the client.
  • Client Authentication: EST provides mechanisms for authenticating clients during the enrollment process, such as:
    • Username/Password Authentication: Clients can authenticate using a username and password.
    • Existing Certificate: Clients can use an existing certificate to authenticate and request a new one.
    • Simple Authentication: EST supports various forms of simple authentication to verify the client's identity.
  • CSR Attributes: EST allows clients to request specific attributes in their Certificate Signing Requests (CSRs), ensuring that the issued certificate meets the client's requirements.
  • Bootstrap Process: EST supports a bootstrap process where a client can securely obtain the CA's certificate, which is necessary for validating future communications and certificate requests.

How does enrollment over secure transport work?

Enrollment over Secure Transport (EST) works by providing a secure and automated method for clients (such as devices, applications, or users) to request and obtain digital certificates from a Certificate Authority (CA). Here is a step-by-step explanation of how EST works:

  1. Initial Setup: Before the enrollment process begins, both the client and the EST server (usually part of the CA infrastructure) must be properly configured.
    1. Client: The client needs to generate a Certificate Signing Request (CSR) and prepare any necessary authentication credentials.
    2. EST Server: The EST server must have the necessary CA certificates and be configured to handle enrollment requests.
  2. Establish Secure Connection: The client establishes a secure HTTPS (HTTP over SSL/TLS) connection to the EST server. This ensures that all communication between the client and the server is encrypted and protected from eavesdropping and tampering.
  3. Authentication: The EST protocol supports various methods of client authentication, including: Username and Password: The client can authenticate using a username and password. Existing Certificate: The client can use an existing certificate for authentication. Simple Authentication: Other forms of simple authentication mechanisms may also be supported.
  4. Certificate Enrollment: The client sends a Certificate Signing Request (CSR) to the EST server. The CSR contains the client's public key and identifying information.
  5. Server Processing: The EST server processes the CSR by performing the following steps:
    1. Validate the CSR: The server checks the CSR for correctness and ensures it has all required information.
    2. Authenticate the Client: The server verifies the client's identity using the provided authentication credentials.
    3. Approve or Reject the Request: Based on the CSR validation and client authentication, the server decides whether to approve or reject the certificate request.
  6. Certificate Issuance: If the request is approved, the EST server issues a digital certificate. The certificate is signed by the CA and includes the client's public key and other relevant information.
  7. Certificate Delivery: The server delivers the signed certificate to the client over the secure HTTPS connection.
  8. Installation and Use: The client installs the received certificate and private key (if generated by the CA) for use in secure communications.

Additional Operations Supported by EST Besides initial certificate enrollment, EST also supports other certificate lifecycle operations:

  • Re-enrollment: Clients can request the renewal or reissue of an existing certificate before it expires.
  • Certificate Revocation: Clients can request the revocation of a certificate if it is compromised or no longer needed.
  • Bootstrap Process: Clients can securely obtain the CA's certificate, which is necessary for validating the EST server's identity in future communications.

What is the difference between SCEP and enrollment over secure transport? 

Enrollment over Secure Transport (EST) and Simple Certificate Enrollment Protocol (SCEP) are both protocols designed to facilitate the automated enrollment and management of digital certificates. However, they have different features, security mechanisms, and use cases. Here are the key differences between EST and SCEP:

  • Security
    • EST:
      • Transport Security: EST uses HTTPS (HTTP over SSL/TLS) for secure communication between the client and the Certificate Authority (CA). This ensures encryption and integrity of the data in transit.
      • Authentication: EST supports various authentication mechanisms, including basic authentication (username and password), client certificates, and more advanced methods.
      • Bootstrap Process: EST includes a bootstrap process that allows a client to securely obtain the CA's certificate to validate future communications.
    • SCEP:
      • Transport Security: SCEP typically uses HTTP or HTTPS, but the security of the protocol relies heavily on the underlying transport layer.
      • Authentication: SCEP primarily uses pre-shared secrets (a one-time password) for authentication during the initial enrollment. This can be less secure compared to the flexible and stronger authentication methods supported by EST.
      • Bootstrap Process: SCEP does not have a built-in bootstrap process for obtaining the CA certificate securely, which can make initial trust establishment more challenging.
  • Protocol Maturity and Features
    • EST:
      • Maturity: EST is a more modern protocol and is considered to have better security practices and more features.
      • Support for CSR Attributes: EST allows clients to request specific attributes in their Certificate Signing Requests (CSRs), providing greater flexibility.
      • Additional Operations: EST supports certificate renewal (re-enrollment) and revocation as part of its standard operations.
    • SCEP:
      • Maturity: SCEP is an older protocol and has been widely used in various environments, but it is considered less secure than EST.
      • CSR Attributes: SCEP has limited support for CSR attributes and lacks the flexibility offered by EST in this regard.
      • Basic Operations: SCEP supports basic certificate enrollment and renewal, but its feature set is not as comprehensive as EST.
  • Use Cases and Adoption
    • EST:
      • Enterprise Networks: EST is often used in enterprise environments where security and flexibility are paramount.
      • IoT Devices: EST is suitable for Internet of Things (IoT) devices that require secure and automated certificate enrollment.
    • SCEP:
      • Legacy Systems: SCEP is commonly found in legacy systems and environments where it has been historically deployed.
      • Wider Adoption: Despite its security limitations, SCEP is still widely used due to its long-standing presence and compatibility with many existing systems.
  • Operational Differences
    • EST:
      • Client Initialization: EST clients prepare a CSR and authenticate using supported methods before sending the CSR over an HTTPS connection.
      • Server Processing: The EST server validates the CSR, authenticates the client, and issues the certificate over the same secure connection.
      • Bootstrap: EST allows clients to obtain the CA's certificate securely, ensuring trust establishment.
    • SCEP:
      • Client Initialization: SCEP clients also prepare a CSR but typically use a pre-shared secret for initial authentication.
      • Server Processing: The SCEP server processes the CSR and the client's authentication token, then issues the certificate.
      • Initial Trust: SCEP does not provide a built-in mechanism for securely obtaining the CA's certificate, which can lead to trust issues.

 

Summary:

  • EST: More modern, secure, and flexible, making it suitable for environments that require robust security and advanced features.
  • SCEP: Older and simpler, with wider historical adoption but less secure and flexible compared to EST.

Both protocols aim to simplify the process of certificate enrollment, but EST provides enhanced security features and flexibility, making it a preferred choice for new deployments and environments that prioritize security.