Certificate Enrollment using EST - icom OS Routers

Prev Next

Protocols for the simple enrollment of certificates increase the scalability of the enrollment for large-scale network environments with PKI (public key infrastructure). Besides the initial enrollment of the certificates, the regular renewal of the certificates is also supported. The client will send an automated request for the renewal of a certificate to a server with this, if the remaining lifetime of the certificate falls below a certain threshold. To increase security, this allows a significantly shorter lifetime of a certificate as it would be practicable with manual generation and enrollment.

All obtained certificates, keys and revocation lists are available for selection in the respective dropdown lists. The certificate enrollment instance that obtains the required certificate must be selected for this.

The EST (Enrollment over Secure Transport) protocol is supported for certificate enrollment at the moment.

If a certificate enrollment server is configured and the profile will be activated, the sequence will be as follows:

  • The client retrieves the CA certificate from the EST server

  • The client generates its own private key

  • The client generates a certificate signing request (CSR)

  • The client sends the certificate signing request in PKCS#10 format within the scope of an Enrollment to the EST server

  • If the EST server accepts the Enrollment, it will then generate the client certificate and sign it with the CA

  • The client retrieves the certificate if this is the case

  • The client checks regularly the remaining lifetime of its  certificate and sends within the scope of a Reenrollment a new CSR, if  the remaining lifetime has fallen below a certain threshold (parameter Share of lifetime before automatic renewal)

In case the validity of the CA certificate is expiring, the CA certificate as well as the client certificate will be replaced within the scope of a Rollover.

Please note!

Client certificate and key, CA certificate and CRL will not be stored in the profile of the router and can therefore not be duplicated by downloading the binary profile and uploading it again to another router.

There is no way (such as web interface, CLI, ASCII configuration or binary configuration) to download the private key from the router!

The current condition of each EST instance is indicated in the user interface of the router in the Administration → Certificates menu in the Certificate Enrollment (EST) section in the Status column. The status can be queried using the command status.sysdetail.cert_enrollment.enrollment[x].state in the CLI. The following conditions are possible:

User interface

CLI

Remark

Inactive

inactive

Not in running profile

-

Is displayed if a new EST instance has been created but the profile has not yet been activated.

Generating private key

create_key_pair

Downloading CA certificate

obtain_ca

Downloading client certificate

request_client_cert

Client certificate exists

idle

Genrating CSR

create_csr

Renewal of certificates

reenrollment

Error: Configuration invalid

init