The Enrollment over Secure Transport (EST) protocol as specified in RFC 7030, Enrollment over Secure Transport, is used to enroll a certificate from a Certificate Authority (CA). SR OS supports the following EST client-side operations:
download a CA certificate (/cacert)
enroll a new certificate (/simpleenroll)
renew an existing certificate (/simplereenroll)
The admin certificate est commands are used to perform the preceding operations. Each operation requires an EST profile which contains the EST configuration.
The following options are supported for SR OS client to authenticate the EST server.
Explicit TA is achieved by configuring the config>system>security>tls>client-tls-profile>trust-anchor-profile name command which is referenced in the EST profile.
No authentication is performed if the previous option is not configured.
The following options are supported for the EST server to authenticate the SR OS client.
Client certificate authentication is achieved by configuring the config>system>security>tls>cert-profile name parameter in the config>system>secruity>tls>client-tls-profile context which is referenced in the EST profile.
HTTP authentication is achieved by configuring the config>system>security>pki>est-profile>http-auth command. This option requires configuring the config>system>security>tls>client-tls-profile>trust-anchor-profile name parameter referenced in the EST profile.
No authentication is performed if neither of the preceding options is configured.