Bug 1849834

Summary: [RFE] Provide EST Responder (RFC 7030)
Product: Red Hat Enterprise Linux 9 Reporter: Marc Sauton <msauton>
Component: pki-coreAssignee: Marco Fargetta <mfargett>
Status: CLOSED ERRATA QA Contact: idm-cs-qe-bugs
Severity: high Docs Contact: Jana Heves <jsvarova>
Priority: high    
Version: 9.0CC: aakkiang, ckelley, czinda, dcain, edewata, fdelehay, ftweedal, jsvarova, mfargett, mharmsen, parmstro, pasik, pcech, skhandel, tvvcox, vashirov, vvanhaft, william.caban
Target Milestone: rcKeywords: FutureFeature, Triaged
Target Release: 9.1   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pki-core-11.3.0-0.2.beta1.el9 Doc Type: Enhancement
Doc Text:
.Red Hat IdM and Certificate System now support the EST protocol Enrollment over Secure Transport (EST) is a new Certificate System subsystem feature that is specified in RFC 7030 and it is used to provision certificates from a Certificate Authority (CA). EST implements the server side of the operation, such as `/getcacerts`, `/simpleenroll`, and `/simplereenroll`. Note that Red Hat supports both EST and the original Simple Certificate Enrollment Protocol (SCEP) in Certificate System.
 Story Points: ---
Clone Of:
: 2142893 2184522 (view as bug list) Environment:
Last Closed: 2023-05-09 07:43:41 UTC Type: Feature Request
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2184522, 2142893    

Description Marc Sauton 2020-06-22 23:03:35 UTC 
Description of problem:

RFE - provide Enrollment over Secure Transport / EST interface to Dogtag / RFC 7030 to obsolete SCEP

This is for both RHEL IdM and RHCS, in the pki-core component.

RHEL-8
pki-core-10.x ( 10.8+ ? )

existing certmonger component bug and ticket:
https://bugzilla.redhat.com/show_bug.cgi?id=1841055
https://pagure.io/certmonger/issue/53


Addition information:

https://github.com/cisco/libest
"
This project is a library that implements RFC 7030 (Enrollment over Secure Transport).
EST is used to provision certificates from a CA or RA. EST is a replacement for SCEP, providing several security enhancements and support for ECC certificates.
Libest is written in C and uses OpenSSL 1.0.1.
The following flows defined in RFC 7030 for both server and client operation have been implemented:
/getcacerts /csrattrs /simpleenroll /simplereenroll
Also of interest, a EST test server running this library has been setup at http://testrfc7030.com/ and can be used for interop testing the EST protocol.
Please direct questions/comments to est-interest.com
"
Comment 4 Marc Sauton 2020-06-22 23:19:37 UTC 
Upstream ticket: https://pagure.io/dogtagpki/issue/3180
Comment 9 Asha Akkiangady 2021-04-23 18:00:04 UTC 
Moving from RHEL 8 to RHEL 9 as SCEP over EST is not a priority for RHEL 8.
Comment 25 Fraser Tweedale 2023-01-06 07:29:33 UTC 
Following up Comment 22...

> I also coudn't enroll Cisco CSR 1000v, I suspect it also sends CSR request with PEM headers, but need to do traffic analysis to be 100% sure.

The RFC is fairly clear about the expected format (base64-encoded DER, with or without wrappping, but without
PEM header).  But let's check what the Cisco thing actually sends.  If it is indeed PEM, then we can
(reluctantly) modify the server to accept this case.

Regarding reenroll auth failures, we should pair and work through that together.
Comment 35 errata-xmlrpc 2023-05-09 07:43:41 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: pki-core security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:2293