Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Java Implementation of Enrollment over Secure Transport
Java
Branch: master

README.md

Jester Build Status

Jester is an open source Java implementation of Enrollment over Secure Transport (RFC 7030). Jester aims to be 100% compatible with Cisco's libest implementation.

Requirements

  • Java 7/8

Running Jester

You can start the Jester server like so:

mvn clean install
cd jester-sample-war
mvn jetty:run

You should now have a functioning EST server at: https://localhost:8443/.well-known/est/.

Testing Jester with OpenSSL

CA Distribution

You should be able to retrieve the CA certificates at https://localhost:8443/.well-known/est/cacerts and parse it with OpenSSL, like so:

curl --insecure --silent https://localhost:8443/.well-known/est/cacerts \
  | base64 --decode -i \
  | openssl pkcs7 -inform DER -print_certs -text -noout

The above command will typically produce the following output:

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 1395086926 (0x5327564e)
        Signature Algorithm: sha512WithRSAEncryption
        Issuer: C=US, CN=Jester
        Validity
            Not Before: Mar 17 20:08:46 2014 GMT
            Not After : Mar 12 20:08:46 2034 GMT
        Subject: C=US, CN=Jester
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:a3:b3:2c:08:b6:ff:63:1e:07:ea:6b:79:9a:9c:
                    c9:1d:70:85:33:d0:d5:b7:4d:b7:91:dc:58:b8:5c:
                    bb:56:ce:4d:9c:5a:a1:ad:74:14:61:a9:9a:34:0b:
                    cd:bc:37:ed:09:e2:f9:7c:e9:e8:85:ca:f7:35:36:
                    d4:7f:43:5f:ac:3e:a6:0c:52:8e:9c:45:09:6e:36:
                    ab:15:8b:ee:b5:c8:9d:86:bc:d7:1c:09:f2:86:40:
                    62:f3:49:7b:62:e4:45:de:c1:a6:5c:64:c3:2d:b4:
                    68:0a:57:fd:75:c1:b6:0c:ac:a1:0a:df:c0:68:0c:
                    8e:e6:83:a0:a3:c0:53:77:66:24:84:b6:06:80:c7:
                    6e:80:1f:8f:6e:a9:0c:5f:e2:eb:1a:68:e2:a7:9e:
                    2d:e3:21:bd:62:4a:2d:12:d7:a8:60:07:be:ba:2d:
                    94:6d:18:1a:da:ef:22:bd:70:50:11:f9:0b:af:e2:
                    b4:54:6c:d5:48:b5:37:78:2d:37:20:64:bf:9e:31:
                    04:9d:30:b3:9e:d2:e9:21:07:96:47:e6:52:4d:d2:
                    44:2c:d1:77:52:54:72:2f:d0:7a:59:e0:17:8e:6b:
                    67:b3:2d:08:1a:e7:b1:73:33:d0:32:15:63:9f:1c:
                    83:d4:c9:0e:6b:bf:61:bc:9a:c7:d3:f4:4c:62:28:
                    41:71
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha512WithRSAEncryption
        6c:5e:68:d1:60:77:ba:9d:6d:4b:55:59:0c:bf:20:97:b3:e4:
        e4:34:21:25:7e:03:1b:6a:e3:4d:8b:3a:07:72:90:da:39:1a:
        e7:41:ae:ce:96:08:87:27:27:21:e9:dd:7c:c4:1c:ae:2b:b0:
        ba:ba:b9:4e:20:87:e7:54:7d:cd:de:98:8b:38:3e:26:37:bd:
        d9:58:00:94:c7:5d:4b:73:97:93:01:c1:27:72:6b:7c:24:82:
        58:39:38:c1:6f:aa:2d:1d:b1:f5:09:7f:81:b2:53:81:37:7f:
        41:fe:d6:d3:53:ae:3a:01:a1:c8:64:3c:36:78:7a:63:18:33:
        a7:f5:e0:7b:e3:c4:2a:7a:89:e1:bd:01:49:fc:2a:2b:1f:9d:
        87:8d:21:14:5c:1f:45:09:2f:af:ae:c4:02:1b:ed:4d:3e:a3:
        af:89:ce:ab:ae:e7:26:a2:aa:16:0c:80:f9:1d:9e:0f:cb:15:
        ae:c2:ea:69:ba:5b:49:d2:f5:f7:36:b4:6f:b1:1d:11:c0:71:
        ff:bf:ef:7b:a4:a3:6f:d1:24:79:71:3c:47:e4:9f:e5:d3:33:
        3c:4a:0b:d9:2e:49:80:76:5d:aa:d8:39:f7:df:bd:71:f2:6f:
        ad:7c:71:d2:41:48:f2:13:80:69:19:18:85:c6:e1:0f:fe:84:
        36:06:a2:cc

Certificate Enrollment

Send a PKCS #10 certificate signing request to Jester, and read back the resulting PKCS #7 structure.

openssl req -inform PEM -outform DER -in src/main/resources/jester.p10 \
  | base64 \
  | curl --insecure --silent -d @- https://localhost:8443/.well-known/est/simpleenroll \
  | base64 --decode -i \
  | openssl pkcs7 -inform DER -print_certs -text -noout

Related Documents

Out of Scope

  • §3.3.3 - Certificate-less TLS Mutual Authentication (No RFC 5054 in JSSE)
  • §3.5 - Linking Identity and PoP information (No RFC 5929 in JSSE)
Something went wrong with that request. Please try again.