Skip to main content

EST Protocol Configuration

EST allows systems and applications to automatically enroll and renew certificates using Enrollment over Secure Transport.

This configuration defines how the EST endpoint issues certificates and how requests are mapped to End Entities and certificate profiles.

Protocol Configuration

The protocol configuration section defines the required settings for this EST profile, including the configuration name, issuing certificate authority, and whether requests must match an existing end entity.

EST profile protocol configuration settings

Name

Use Name to give the protocol configuration a clear label that operators can recognize later when reviewing or selecting protocol profiles.

Certificate Authority

Use Certificate Authority to select the CA that will be used to issue certificates for requests handled by this configuration.

End Entity Required

Use End Entity Required to require incoming requests to match an existing end entity before OTPKI processes the request.

When this option is disabled, OTPKI can process requests without requiring a pre-existing end entity match, subject to the rest of the profile and protocol configuration.

End Entity Naming Scheme

The end entity naming scheme section defines how OTPKI matches incoming protocol requests to existing end entities. Use these settings to control how the request identity is converted into the login ID used for end entity lookup and creation.

Protocol configuration end entity naming scheme settings

Login ID Scheme

Use Login ID Scheme to choose how OTPKI builds the login ID from the subject distinguished name (DN) in the incoming request.

The available schemes are:

  • Full DN: uses the complete subject DN as the login ID.
  • Part DN: uses selected DN attributes as the login ID. Selecting this option displays Login ID Parts.
  • Combo DN: combines selected DN attributes to form the login ID. Selecting this option displays Login ID Parts.
  • Fixed: uses the same configured login ID value for every request. Selecting this option displays a field for the fixed value.
  • Random: generates a random login ID. Selecting this option displays a field for the random value length.

Login ID Parts

Login ID Parts appears when Part DN orCombo DN is selected. Use it to choose which parts of the subject DN should be included when OTPKI builds the login ID.

Login ID Fixed

The fixed login ID field appears when Fixed is selected. Use it to enter the exact login ID OTPKI should use for matching incoming requests.

Login ID Random Length

The random login ID length field appears when Random is selected. Use it to define the length of the generated login ID.

Login ID Prefix

Use Login ID Prefix to add a static value before the generated or derived login ID. This can help distinguish identities that come from a specific protocol, environment, or configuration.

Login ID Postfix

Use Login ID Postfix to add a static value after the generated or derived login ID. This can help namespace or group end entities that share the same naming pattern.

Profile Selection

The profile selection section associates the protocol configuration with the end entity and certificate profiles OTPKI will use when processing requests.

Protocol configuration profile selection settings

End Entity Profile

Use End Entity Profile to select the end entity profile that controls the allowed subject fields, validation rules, and related end entity settings for requests handled by this configuration.

Certificate Profile

Use Certificate Profile to select the certificate profile that controls the certificate properties OTPKI will apply when issuing certificates through this configuration.

EST Authentication Configuration

The EST Authentication Configuration section defines how clients authenticate when using the enroll and reenroll routes.

EST authentication configuration settings

Require Reenroll Certificate Authentication

Requires the client to authenticate with a certificate from a previous enroll or reenroll request before it can reenroll.

Enable Certificate Authentication

Allows clients to authenticate with a client certificate during enroll or reenroll.

Enable Basic Authentication

Allows clients to authenticate with a username and password during enroll or reenroll.

Username

The username used when basic authentication is enabled and an end entity is not required.

Password

The password used when basic authentication is enabled and an end entity is not required.

Server Key Generation

The Server Key Generation section allows the server to generate keys for this profile.

EST server key generation settings

Enable Server Key Generation

Enables server-side key generation for EST requests.

Key Type

The algorithm used to generate the keys.