1PKI --EST(1)                      strongSwan                      PKI --EST(1)
2
3
4

NAME

6       pki --est - Enroll an X.509 certificate with an EST server
7

SYNOPSIS

9       pki --est ---url url [--label label] [--in file] --cacert file [--cert
10                 file|--certid hex --key file|--keyid hex]
11                 [--userpass username:password] [--interval time]
12                 [--maxpolltime time] [--outform encoding] [--debug level]
13
14       pki --est --options file
15
16       pki --est -h | --help
17

DESCRIPTION

19       This sub-command of pki(1) sends  a  PKCS#10  certificate  request  via
20       HTTPS to a server using the Enrollment over Secure Transport (EST) Pro‐
21       tocol (RFC 7030). After successful authorization which with manual  au‐
22       thentication  requires  periodic  polling by the enrollment client, the
23       EST server returns an X.509 certificate signed by the CA.
24
25       Before the expiry of the current certificate, a new client  certificate
26       based  on  a fresh private key can be requested, using the old certifi‐
27       cate and the old key for automatic TLS client authentication  with  the
28       EST server.
29

OPTIONS

31       -h, --help
32              Print usage information with a summary of the available options.
33
34       -v, --debug level
35              Set debug level, default: 1.
36
37       -+, --options file
38              Read command line options from file.
39
40       -u, --url url
41              URL of the EST server.
42
43       -l, --label label
44              Label in the EST server path.
45
46       -i, --in file
47              PKCS#10  certificate  request. If not given, the certificate re‐
48              quest is read from STDIN.
49
50       -C, --cacert file
51              CA certificate in the trust chain used for EST TLS server signa‐
52              ture  verification  or  in  the trust chain to verify the client
53              certificate issued by the CA.  Can be used multiple times.
54
55       -c, --cert file
56              Client certificate to be renewed.
57
58       -X, --certid hex
59              Smartcard or TPM 2.0 client certificate object handle.
60
61       -k, --key file
62              Client private key to be replaced.
63
64       -x, --keyid hex
65              Smartcard or TPM 2.0 client private key object handle.
66
67       -p, --userpass username:password
68              Optional username:password that may be used for HTTP  basic  au‐
69              thentication.
70
71       -t, --interval time
72              Poll  interval in seconds, defaults to 60s. This value might get
73              overridden by the retry-after header in the HTTP 202 reply  from
74              the EST server.
75
76       -m, --maxpolltime time
77              Maximum  poll  time in seconds, defaults to 0 which means unlim‐
78              ited polling.
79
80       -f, --outform encoding
81              Encoding of the created certificate file. Either der (ASN.1 DER)
82              or pem (Base64 PEM), defaults to der.
83

EXAMPLES

85       To  save some typing work the following command line options are stored
86       in a est.opt file:
87
88       --url https://pki.strongswan.org:8443
89       --cacert tlsca.crt
90       --cacert tlsca-1.crt
91       --cacert myca.crt
92       --cacert myca-1.crt
93
94       NOTE: For a successful HTTPS connection, trust must be established into
95       the  EST  server certificate. The TLS trust chain including the root CA
96       certificate and optionally intermediate CA certificates must  be  given
97       using multiple --cacert options.
98
99       The --cacert option must also be used to be able to verify the received
100       client certificate issued by the CA. This second trust chain  might  be
101       identical  to  the  TLS  trust  chain (if the EST server is using a TLS
102       server certificate issued by its own CA) or might be totally different,
103       e.g. if a Let's Encrypt EST server certificate is used.
104
105       With the following command, an X.509 certificate signed by the interme‐
106       diate CA is requested from an EST server based on a PKCS#10 certificate
107       request:
108
109       pki --options est.opt --in moonReq.der > moonCert.der
110
111       negotiated TLS 1.3 using suite TLS_AES_256_GCM_SHA384
112       received TLS server certificate 'C=CH, O=strongSwan Project, CN=pki.strongswan.org'
113         using certificate "C=CH, O=strongSwan Project, CN=pki.strongswan.org"
114         using trusted intermediate ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Issuing CA"
115         using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
116         reached self-signed root ca with a path length of 1
117         EST request pending, polling indefinitely every 300 seconds
118         going to sleep for 300 seconds
119         ...
120       Issued certificate "C=CH, O=strongSwan Project, CN=moon.strongswan.org"
121         serial: 1a:ff:de:66:d9:38:ea:d5:b6:da
122         using certificate "C=CH, O=strongSwan Project, CN=moon.strongswan.org"
123         using trusted intermediate ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Issuing CA"
124         using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
125         reached self-signed root ca with a path length of 1
126       Issued certificate is trusted, valid from Aug 22 15:19:43 2022 until Aug 22 15:19:43 2023 (currently valid)
127
128       This  certificate  can  be renewed some time before it expires with the
129       command:
130
131       pki --options est.opt --in moonReqNew.der --cert moonCert.der --key moonKey.der > moonCertNew.der
132
133       negotiated TLS 1.3 using suite TLS_AES_256_GCM_SHA384
134       received TLS server certificate 'C=CH, O=strongSwan Project, CN=pki.strongswan.org'
135         using certificate "C=CH, O=strongSwan Project, CN=pki.strongswan.org"
136         using trusted intermediate ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Issuing CA"
137         using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
138         reached self-signed root ca with a path length of 1
139       sending TLS client certificate 'C=CH, O=strongSwan Project, CN=moon.strongswan.org'
140       sending TLS intermediate certificate 'C=CH, O=strongSwan Project, CN=strongSwan Issuing CA'
141       Issued certificate "C=CH, O=strongSwan Project, CN=moon.strongswan.org"
142         serial: 1b:ff:ad:dc:2f:50:c4:cb:a1:44
143         using certificate "C=CH, O=strongSwan Project, CN=moon.strongswan.org"
144         using trusted intermediate ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Issuing CA"
145         using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
146         reached self-signed root ca with a path length of 1
147       Issued certificate is trusted, valid from Jul 20 12:21:00 2023 until Jul 20 12:21:00 2024 (currently valid)
148
149       If the private key and the certificate of the client is stored in a TPM
150       2.0, the renewal can be done with the following options:
151
152       pki --options est.opt --in moonReqNew.der --certid 0x01800004 --keyid 0x81010004 > moonCertNew.der
153
154

SEE ALSO

156       pki(1)
157
158
159
1605.9.11                            2022-08-22                      PKI --EST(1)
Impressum