Enrollment over Secure Transport (EST)

​

Concept

Enrollment over Secure Transport (EST) is a protocol used to automate the secure provisioning of digital certificates for devices and applications over a secure HTTPS connection. It is primarily used when a client device needs to obtain or renew a certificate from a Certificate Authority (CA) on Infisical in a secure and standardized manner. EST is commonly employed in environments requiring strong authentication and encrypted communication, such as in IoT, enterprise networks, and secure web services.

Infisical’s EST service is based on RFC 7030 and implements the following endpoints:

• cacerts - provides the necessary CA chain for the client to validate certificates issued by the CA.
• simpleenroll - allows an EST client to request a new certificate from Infisical’s EST server
• simplereenroll - similar to the /simpleenroll endpoint but is used for renewing an existing certificate.

These endpoints are exposed on port 8443 under the .well-known/est path e.g. https://app.infisical.com:8443/.well-known/est/estLabel/cacerts

​

Prerequisites

• You need to have an existing CA hierarchy.
• The client devices need to have a bootstrap/pre-installed certificate.
• The client devices must trust the server certificates used by Infisical’s EST server. If the devices are new or lack existing trust configurations, you need to manually establish trust for the appropriate certificates.
  • For Infisical Cloud users, the devices must be configured to trust the Amazon root CA certificates.

​

Guide to configuring EST

1. Set up a certificate template with your selected issuing CA. This template will define the policies and parameters for certificates issued through EST. For detailed instructions on configuring a certificate template, refer to the certificate templates documentation.

2. Proceed to the certificate template’s enrollment settings

3. Select EST as the client enrollment method and fill up the remaining fields.

   

   • Disable Bootstrap Certificate Validation - Enable this if your devices are not configured with a bootstrap certificate.
   • Certificate Authority Chain - This is the certificate chain used to validate your devices’ manufacturing/pre-installed certificates. This will be used to authenticate your devices with Infisical’s EST server.
   • Passphrase - This is also used to authenticate your devices with Infisical’s EST server. When configuring the clients, use the value defined here as the EST password.

   For security reasons, Infisical authenticates EST clients using both client certificate and passphrase.

4. Once the configuration of enrollment options is completed, a new EST Label field appears in the enrollment settings. This is the value to use as label in the URL when configuring the connection of EST clients to Infisical.

   The complete URL of the supported EST endpoints will look like the following:

   • https://app.infisical.com:8443/.well-known/est/f110f308-9888-40ab-b228-237b12de8b96/cacerts
   • https://app.infisical.com:8443/.well-known/est/f110f308-9888-40ab-b228-237b12de8b96/simpleenroll
   • https://app.infisical.com:8443/.well-known/est/f110f308-9888-40ab-b228-237b12de8b96/simplereenroll

​

Setting up EST clients

• To use the EST passphrase in your clients, configure it as the EST password. The EST username can be set to any arbitrary value.
• Use the appropriate client certificates for invoking the EST endpoints.
  • For simpleenroll, use the bootstrapped/manufacturer client certificate.
  • For simplereenroll, use a valid EST-issued client certificate.
• When configuring the PKCS#12 objects for the client certificates, only include the leaf certificate and the private key.