EST client installation and use
© 2016 Cisco Systems, Inc. All rights reserved.
Introduction
EST is an IETF standard that “describes a simple, yet functional, certificate management protocol targeting Public
Key Infrastructure (PKI) clients that need to acquire client certificates and associated Certification Authority (CA)
certificates. It also supports client-generated public/private key pairs as well as key pairs generated by the CA.” EST
went through several iterations through the IETF. Multiple vendors and independent parties in the standards
community participated in the effort.
EST is the successor to SCEP, initially sponsored by Cisco. SCEP has become the standard in certificate
provisioning, but even though it is widely used, it is not standardized. (Recently it was taken up again by IETF for
standardization, but a lack of area director support makes standardization unlikely.) On the other hand, on top of the
high community participation in its development, EST also offers a variety of security advantages over SCEP that
include elliptic curve cryptography (ECC) certificates and open-source code availability. Cisco itself has open-
sourced libEST, a library that offers EST client and server functionality, in order to promote its adoption and
interoperability across vendors.
EST has several advantages:
It uses TLS for the highly secure transport of certificates and messages.
The transport is tied to the request. The certificate signing request (CSR) can be tied to a requestor that is
already trusted and authenticated, so the certificate requestor owns the private key and the certificate is
provided only to the entity requesting it.
There are open-source implementations of EST for vendors and private parties to experiment with and
adopt.
It supports ECC certificates.
It supports certificate reenrollment.
The issue of certificate provisioning and PKI is ubiquitous. Other communities such as OpenStack are addressing it
with similar and different approaches. We believe that EST is the best candidate solution because of the openness of
its development, the open-source code available, and the advantages it offers. For more information on EST and its
advantages, refer to the PKI: Simplify Certificate Provisioning with EST whitepaper.
The sections below present the basic steps of using the existing EST client software. Developers can follow these to
install and use the existing open-source libraries. A tool we do not present in this document is jester, a Java
implementation of EST. jester includes the EST client and server, but falls beyond the scope of this document. As
stated in its page, “jester aims to be 100% compatible with Cisco's libest implementation.” Cisco did not write or
test jester and doesn’t own or support it.
Installation and Use
The instructions below were performed using a 64-bit CentOS 7 virtual machine. They should work the same in all
Red Hat–based systems and very similarly in others like Ubuntu. The goal of the steps is to take a new user through
the process of getting the open-source EST libraries working against an EST server. We do not demonstrate the full
EST protocol, but by following the steps you should be able to make full use of the options that the libraries offer in
order to use an EST client with an EST server. For our case, we use the Cisco® public EST server located at
http://testrfc7030.cisco.com. For more information on how to use the server in libEST, refer to the EST server
section of the Cisco IOS EST client example whitepaper.