1PKI --EST(1)                      strongSwan                      PKI --EST(1)
2
3
4

NAME

6       pki --est - Enroll an X.509 certificate with an EST server
7

SYNOPSIS

9       pki --est --url url [--in file] --cacert file [--cert file|--certid
10                 hex] [--key file|--keyid hex] [--userpass username:password]
11                 [--interval time] [--maxpolltime time] [--outform encoding]
12                 [--debug level]
13
14       pki --est --options file
15
16       pki --est -h | --help
17

DESCRIPTION

19       This sub-command of pki(1) sends  a  PKCS#10  certificate  request  via
20       HTTPS to a server using the Enrollment over Secure Transport (EST) Pro‐
21       tocol (RFC 7030). After successful authorization which with manual  au‐
22       thentication  requires  periodic  polling by the enrollment client, the
23       EST server returns an X.509 certificate signed by the CA.
24
25       Before the expiry of the current certificate, a new client  certificate
26       based  on  a fresh private key can be requested, using the old certifi‐
27       cate and the old key for automatic TLS client authentication  with  the
28       EST server.
29

OPTIONS

31       -h, --help
32              Print usage information with a summary of the available options.
33
34       -v, --debug level
35              Set debug level, default: 1.
36
37       -+, --options file
38              Read command line options from file.
39
40       -u, --url url
41              URL of the EST server.
42
43       -i, --in file
44              PKCS#10  certificate  request. If not given, the certificate re‐
45              quest is read from STDIN.
46
47       -C, --cacert file
48              CA certificate in the trust chain used for EST TLS server signa‐
49              ture  verification  or  in  the trust chain to verify the client
50              certificate issued by the CA.  Can be used multiple times.
51
52       -c, --cert file
53              Client certificate to be renewed.
54
55       -X, --certid hex
56              Smartcard or TPM 2.0 client certificate object handle.
57
58       -k, --key file
59              Client private key to be replaced.
60
61       -x, --keyid hex
62              Smartcard or TPM 2.0 client private key object handle.
63
64       -p, --userpass username:password
65              Optional username:password that may be used for HTTP  basic  au‐
66              thentication.
67
68       -t, --interval time
69              Poll  interval in seconds, defaults to 60s. This value might get
70              overridden by the retry-after header in the HTTP 202 reply  from
71              the EST server.
72
73       -m, --maxpolltime time
74              Maximum  poll  time in seconds, defaults to 0 which means unlim‐
75              ited polling.
76
77       -f, --outform encoding
78              Encoding of the created certificate file. Either der (ASN.1 DER)
79              or pem (Base64 PEM), defaults to der.
80

EXAMPLES

82       To  save some typing work the following command line options are stored
83       in a est.opt file:
84
85       --url https://pki.strongswan.org:8443
86       --cacert tlsca.crt
87       --cacert tlsca-1.crt
88       --cacert myca.crt
89       --cacert myca-1.crt
90
91       NOTE: For a successful HTTPS connection, trust must be established into
92       the  EST  server certificate. The TLS trust chain including the root CA
93       certificate and optionally intermediate CA certificates must  be  given
94       using [multiple] --cacert* options.
95
96       The --cacert option must also be used to be able to verify the received
97       client certificate issued by the CA. This second trust chain  might  be
98       identical  to  the  TLS  trust  chain (if the EST server is using a TLS
99       server certificate issued by its own CA) or might be totally different,
100       e.g. if a Let's Encrypt EST server certificate is used.
101
102       With the following command, an X.509 certificate signed by the interme‐
103       diate CA is requested from an EST server based on a PKCS#10 certificate
104       request:
105
106       pki --options est.opt --in moonReq.der > moonCert.der
107
108       negotiated TLS 1.3 using suite TLS_AES_256_GCM_SHA384
109       received TLS server certificate 'C=CH, O=strongSwan Project, CN=pki.strongswan.org'
110         using certificate "C=CH, O=strongSwan Project, CN=pki.strongswan.org"
111         using trusted intermediate ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Issuing CA"
112         using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
113         reached self-signed root ca with a path length of 1
114         EST request pending, polling indefinitely every 300 seconds
115         going to sleep for 300 seconds
116         ...
117       Issued certificate "C=CH, O=strongSwan Project, CN=moon.strongswan.org"
118         serial: 1a:ff:de:66:d9:38:ea:d5:b6:da
119         using certificate "C=CH, O=strongSwan Project, CN=moon.strongswan.org"
120         using trusted intermediate ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Issuing CA"
121         using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
122         reached self-signed root ca with a path length of 1
123       Issued certificate is trusted, valid from Aug 22 15:19:43 2022 until Aug 22 15:19:43 2023 (currently valid)
124
125       This  certificate  can  be renewed some time before it expires with the
126       command:
127
128       pki --options est.opt --in moonReqNew.der --cert moonCert.der --key moonKey.der > moonCertNew.der
129
130       negotiated TLS 1.3 using suite TLS_AES_256_GCM_SHA384
131       received TLS server certificate 'C=CH, O=strongSwan Project, CN=pki.strongswan.org'
132         using certificate "C=CH, O=strongSwan Project, CN=pki.strongswan.org"
133         using trusted intermediate ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Issuing CA"
134         using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
135         reached self-signed root ca with a path length of 1
136       sending TLS client certificate 'C=CH, O=strongSwan Project, CN=moon.strongswan.org'
137       sending TLS intermediate certificate 'C=CH, O=strongSwan Project, CN=strongSwan Issuing CA'
138       Issued certificate "C=CH, O=strongSwan Project, CN=moon.strongswan.org"
139         serial: 1b:ff:ad:dc:2f:50:c4:cb:a1:44
140         using certificate "C=CH, O=strongSwan Project, CN=moon.strongswan.org"
141         using trusted intermediate ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Issuing CA"
142         using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
143         reached self-signed root ca with a path length of 1
144       Issued certificate is trusted, valid from Jul 20 12:21:00 2023 until Jul 20 12:21:00 2024 (currently valid)
145
146       If the private key and the certificate of the client is stored in a TPM
147       2.0, the renewal can be done with the following options:
148
149       pki --options est.opt --in moonReqNew.der --certid 0x01800004 --keyid 0x81010004 > moonCertNew.der
150
151

SEE ALSO

153       pki(1)
154
155
156
1575.9.9                             2022-08-22                      PKI --EST(1)
Impressum