Welcome to the EST test server
This server can be used to test the EST protocol as defined in RFC 7030. There are three instances running, each
using a different configration as follows:
Listening port |
Description |
443 |
This is an EST server that has enabled TLS channel binding as defined in RFC 7030 section 3.5.
Your EST client must be capable of including the TLS channel binding value in the challengePassword attribute of the
PKCS10 request. |
8443 |
This is an EST server that has disabled TLS channel binding as defined in RFC 7030 section 3.5.
This allows for using a client not capable of including the TLS channel binding value in the PKCS10 request, such
as Curl. |
9443 |
This is an EST server that has disabled TLS channel binding as defined in RFC 7030 section 3.5.
This instance of the server has also disabled HTTP authentication, requiring the EST client to provide a certificate
when doing a simple enroll operation. |
For the EST instances described above that are configured to perform HTTP user authentication of the EST client please use the user ID of estuser and the password estpwd.
Curl can be used to simulate an EST client. Please note, older versions of Curl do not support ECC, which may result in an 'Invalid certificate chain' error from Curl. Curl 7.27.0 is known to work. To use this test server, first you will need to retrieve the
latest CA certs from the server, which can be done according to section 4.1.1 of RFC 7030. The following steps show how
to use this test server using Curl.
Step 1: Get the root certificate used by the EST web server
The following command will retrieve the public root certificate that can be used
by Curl to verify the server certificate for the subsequent Curl operations.
This is also called the implicit trust anchor certificate.
Please note, this root certificate may already be in your web browser certificate store.
But if you're using Curl as the client, then you'll want to complete this step to
get a copy of the root certificate for Curl operations.
- wget http://testrfc7030.com/dstcax3.pem
You should verify the hash of this certificate to ensure it wasn't forged. The SHA-256 hash
value is 923f623de896e9cad3a440a5c6cefb88dcb55f3323656d92fbcb73f1e1260a9d.
Use the following command to generate the hash:
- openssl sha256 dstcax3.pem
Step 2: Get the CA certs from the server
Now that you have the implicit trust anchor for the web server, use the following commands to retrieve the
latest CA certs (a.k.a. the explicit trust anchor for the CA) from this server and convert them to PEM format.
Please note, you can use your web browser instead of Curl to retrieve the latest CA certs from the
server. But you'll still need to base64 decode the response and convert to PEM format.
- curl https://testrfc7030.com:8443/.well-known/est/cacerts -o cacerts.p7 --cacert ./dstcax3.pem
- openssl base64 -d -in cacerts.p7 | openssl pkcs7 -inform DER -outform PEM -print_certs -out cacerts.pem
Step 3: Create PKCS10 request
Before requesting a new certificate from the EST server, a PKCS10 certificate request is needed.
This PKCS10 certificate request should not contain a challenge password.
The following commands use OpenSSL to generate a PKCS10 request. Using OpenSSL 1.0.1 or newer is
suggested. Please note, some Linux distributions do not configure ECC support for OpenSSL, which would
cause the following commands to fail. You can use RSA or DSA if desired.
The following two commands will generate an EC keypair and a rudimentary PKCS10 request (using OpenSSL 1.0.1):
- openssl ecparam -genkey -name prime256v1 -out eckey.pem
- openssl req -new -key eckey.pem -out req.p10
Step 4: Request the certificate from the EST server
With the PKCS10 request and the CA certs now available, the following commands simulate a /simpleenroll operation
and converts the newly issued cert to PEM format.
Please note, curl and openssl do not support RFC6066 Trusted CA Indication extension. Therefore, this example continues to use the implicit trust anchor cert obtained in step 1. This is an option as described in RFC7030 section 4.1.3.
- curl https://testrfc7030.com:8443/.well-known/est/simpleenroll --anyauth -u estuser:estpwd -s -o cert.p7 --cacert ./dstcax3.pem --data-binary @req.p10 -H "Content-Type: application/pkcs10" --dump-header resp.hdr
- openssl base64 -d -in cert.p7 | openssl pkcs7 -inform DER -outform PEM -print_certs -out cert.pem
The newly enrolled certificate is in the cert.pem file. You can view the certificate using the following
OpenSSL command:
- openssl x509 -text -in cert.pem
This certificate can be used along with the explicit trust anchor certificate retrieved earlier using the /cacerts
message to establish secure communication channels with other entities bound to the same explicit trust anchor.
Optional: CSR Attributes
Optionally, the CSR attributes may be retrieved from the EST server using Curl. The following command will
get the CSR attributes, base64 decode the attributes, and display the attributes:
curl https://testrfc7030.com:8443/.well-known/est/csrattrs -s --cacert ./dstcax3.pem | openssl base64 -d -A | openssl asn1parse -inform DER
More information
Thank you for using EST.