Welcome to the EST test server

This server can be used to test the EST protocol as defined in RFC 7030. There are three instances running, each using a different configration as follows:

Listening port	Description
443	This is an EST server that has enabled TLS channel binding as defined in RFC 7030 section 3.5. Your EST client must be capable of including the TLS channel binding value in the challengePassword attribute of the PKCS10 request.
8443	This is an EST server that has disabled TLS channel binding as defined in RFC 7030 section 3.5. This allows for using a client not capable of including the TLS channel binding value in the PKCS10 request, such as Curl.
9443	This is an EST server that has disabled TLS channel binding as defined in RFC 7030 section 3.5. This instance of the server has also disabled HTTP authentication, requiring the EST client to provide a certificate when doing a simple enroll operation.

For the EST instances described above that are configured to perform HTTP user authentication of the EST client please use the user ID of estuser and the password estpwd.

Curl can be used to simulate an EST client. Please note, older versions of Curl do not support ECC, which may result in an 'Invalid certificate chain' error from Curl. Curl 7.27.0 is known to work. To use this test server, first you will need to retrieve the latest CA certs from the server, which can be done according to section 4.1.1 of RFC 7030. The following steps show how to use this test server using Curl.

Step 1: Get the root certificate used by the EST web server

The following command will retrieve the public root certificate that can be used by Curl to verify the server certificate for the subsequent Curl operations. This is also called the implicit trust anchor certificate. Please note, this root certificate may already be in your web browser certificate store. But if you're using Curl as the client, then you'll want to complete this step to get a copy of the root certificate for Curl operations.


wget http://testrfc7030.com/dstcax3.pem

You should verify the hash of this certificate to ensure it wasn't forged. The SHA-256 hash value is 923f623de896e9cad3a440a5c6cefb88dcb55f3323656d92fbcb73f1e1260a9d. Use the following command to generate the hash:


openssl sha256 dstcax3.pem

Step 2: Get the CA certs from the server

Now that you have the implicit trust anchor for the web server, use the following commands to retrieve the latest CA certs (a.k.a. the explicit trust anchor for the CA) from this server and convert them to PEM format. Please note, you can use your web browser instead of Curl to retrieve the latest CA certs from the server. But you'll still need to base64 decode the response and convert to PEM format.


curl https://testrfc7030.com:8443/.well-known/est/cacerts -o cacerts.p7 --cacert ./dstcax3.pem
openssl base64 -d -in cacerts.p7 | openssl pkcs7 -inform DER -outform PEM -print_certs -out cacerts.pem

Step 3: Create PKCS10 request

Before requesting a new certificate from the EST server, a PKCS10 certificate request is needed. This PKCS10 certificate request should not contain a challenge password. The following commands use OpenSSL to generate a PKCS10 request. Using OpenSSL 1.0.1 or newer is suggested. Please note, some Linux distributions do not configure ECC support for OpenSSL, which would cause the following commands to fail. You can use RSA or DSA if desired. The following two commands will generate an EC keypair and a rudimentary PKCS10 request (using OpenSSL 1.0.1):


openssl ecparam -genkey -name prime256v1 -out eckey.pem
openssl req -new -key eckey.pem -out req.p10

Step 4: Request the certificate from the EST server

With the PKCS10 request and the CA certs now available, the following commands simulate a /simpleenroll operation and converts the newly issued cert to PEM format. Please note, curl and openssl do not support RFC6066 Trusted CA Indication extension. Therefore, this example continues to use the implicit trust anchor cert obtained in step 1. This is an option as described in RFC7030 section 4.1.3.


curl https://testrfc7030.com:8443/.well-known/est/simpleenroll --anyauth -u estuser:estpwd -s -o cert.p7 --cacert ./dstcax3.pem --data-binary @req.p10 -H "Content-Type: application/pkcs10" --dump-header resp.hdr
openssl base64 -d -in cert.p7 | openssl pkcs7 -inform DER -outform PEM -print_certs -out cert.pem

The newly enrolled certificate is in the cert.pem file. You can view the certificate using the following OpenSSL command:


openssl x509 -text -in cert.pem

This certificate can be used along with the explicit trust anchor certificate retrieved earlier using the /cacerts message to establish secure communication channels with other entities bound to the same explicit trust anchor.

Optional: CSR Attributes

Optionally, the CSR attributes may be retrieved from the EST server using Curl. The following command will get the CSR attributes, base64 decode the attributes, and display the attributes:

curl https://testrfc7030.com:8443/.well-known/est/csrattrs -s --cacert ./dstcax3.pem | openssl base64 -d -A | openssl asn1parse -inform DER

More information

To learn more about EST please refer to RFC 7030.
Libest project on Github
EST server for Microsoft CA
Try the Android EST client app (compiled for ARM, Android 4.0 and newer)

Thank you for using EST.