An EST client written in Bash
- Bash
- curl
- OpenSSL
- CertAgent 7.0.9.x
Initial device certificate (RSA4096 / SHA384) is issued from the Certificate Authority through a manual enrollment and issuance process. The public certificate is combined with the private key and 3DES encrypted to form a PKCS#12 (PFX / P12). The system administrator installs the P12 on the device.
Prior to expiration of the original public certificate, a reenroll request is submit via the EST mechanism. The original client certificate is used to provide certificate authorization during the enrollment. A new certificate request is generated from the original private key and must have matching Common Name (CN) as the client certificate.
- Download the latest tagged release and extract it to your home directory or
- Clone the repo to your home directory
git clone git@github.boozallencsn.com:csfc-lab/est-simplereenroll.git - Edit the following variables in
est-reenroll.shpuburi- set to the EST /cacerts FQDNesturi- set to the EST /simplereenroll FQDNorigp12- set to the path of the original client p12 to be renewed
- Execute the following:
./est-reenroll <p12-cn> <p12-password>
┌────────────┐ ┌────────────┐ ┌────────────┐
│ EST Client │ │ EST Server │ │ EST CA │
└─────┬──────┘ └──────┬─────┘ └──────┬─────┘
│ │ │
│ │ │
│ │ │
│ (EST) Request certification │ │
├──────────────────────────────────►│ │
│ │ │
│ Trust chain │ │
│◄──────────────────────────────────┤ │
│ │ │
│ Validate chain │ │
├───────────────────┐ │ │
│ │ │ │
│ │ │ │
│◄──────────────────┘ │ │
│ │ │
│Generate key and CSR │ │
├───────────────────┐ │ │
│ │ │ │
│ │ │ │
│◄──────────────────┘ │ │
│ │ │
│ (EST) PKCS#10 certificate request │ │
├──────────────────────────────────►│ │
│ │ │
│ │Validate client credent │
│ │(Certificate auth) │
│ ├─────────────────────┐ │
│ │ │ │
│ │ │ │
│ │◄────────────────────┘ │
│ │ │
│ │ Request certificate │
│ ├──────────────────────────────────►│
│ │ │
│ │ Certificate │
│ │◄──────────────────────────────────┤
│ │ │
│ PKCS#7 Certificate │ │
│◄──────────────────────────────────┤ │
│ │ │
│ │ │
│ │ │
- __dir : base script directory
- __certs : certificate store directory within base dir
- VERSION : Version number
- DETECTED_OS : Displays OS name and version for debuging
- dtg : Date Time Group
- cacert : location of ca root trust
- capuburi : Public EST URI via port 443
- cainturi : EST enrollment URI via port 8443
- cnvalue : CN used in both original certificate as well as renewals
- origp12 : location of original p12
- p12pass : Password used to encrypt/decrypt P12 and Private Keys
Tony Cavella cavella_tony@bah.com