Configure and use EST
15 minute read
To perform this action, you must have a user role that contains the Solution administrator permission.
Enrollment over Secure Transport (EST) is a popular protocol for certificate issuance and renewal. EST (RFC 7030) is a certificate management protocol designed to securely issue and manage certificates for devices and applications over HTTPS. EST simplifies the process of enrolling devices for digital certificates, providing a robust mechanism for requesting, renewing, and retrieving certificates. This protocol ensures the confidentiality and integrity of the communication between the client and the certificate authority (CA) using TLS (Transport Layer Security).
DigiCert® Device Trust Manager supports the following EST endpoints:
/simpleenroll - initial certificate enrollment
/simplereenroll - certificate renewal
/cacerts - retrieve CA certificates
/csrattrs - retrieve CSR requirements
/serverkeygen - optional server-side key generation
For more information on EST, see Enrollment over Secure Transport (EST).
Before you begin
Before configuring EST, ensure the following prerequisites are met:
- You have a user role with the
Solution Administratorpermission - You have a Root CA and an Intermediate CA already configured in DigiCert Private CA.
- You at least have one Certificate template for end-entity certificates (defines the certificate structure, including subject fields, extensions, and validity period)
- You have reviewed:
Endpoint overview
The following API endpoints are used in this tutorial:
| Purpose | Method | Endpoint |
|---|---|---|
| Create a division | POST | /devicetrustmanager/api/v4/division |
| Create an authentication policy | POST | /devicetrustmanager/authentication-service/api/v1/authentication-policy |
| Add a Passcode to your authentication policy | POST | /devicetrustmanager/authentication-service/api/v1/passcode |
| Get certificate template details | GET | /devicetrustmanager/certificate-configuration-service/api/v1/certificate-template |
| Create a certificate profile | POST | /devicetrustmanager/certificate-configuration-service/api/v1/certificate-profile |
| Create a certificate management policy | POST | /devicetrustmanager/certificate-configuration-service/api-ui/v1/certificate-policy |
Step 1: Get your Rendezvous zone ID
You must get your Rendezvous zone details. You’ll need the Primary Rendezvous zone ID to create a division in Step 2.
Request
curl --request GET \
--url https://demo.one.digicert.com/devicetrustmanager/api/v4/rendezvous-zone \
--header 'Accept: application/json'Successful response (200 OK):
{
"limit": 10,
"offset": 0,
"pagination": true,
"next": false,
"total": 1,
"records": [
{
"id": "Your Primary Rendezvous Zone ID (UUID)",
"name": "Rendezvous Zone 1",
"region": "us-west-1",
"endpoint": "dev.devicetm",
"is_primary_usage": true,
"is_secondary_usage": true,
"capacity": 50000,
"port": [
{
"key": "MQTT_PORT_SECURE",
"value": 8883
}
],
"ca": [
"--BEGIN CERTIFICATE-- --END CERTIFICATE--"
],
"status": "ENABLED",
"created_on": "2020-11-05T08:36:50Z",
"updated_on": "2020-11-05T08:36:50Z"
}
]
}
From the response, note down your Primary Rendezvous Zone ID and save this ID. You will need this when you are creating a division.
Step 2: Create a division
Request:
curl --location 'https://demo.one.digicert.com/devicetrustmanager/api/v4/division' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'X-API-KEY: {ADMIN_API_KEY}' \
--data '{
"account_id": "{ACCOUNT_ID}",
"name": "Example Division Name",
"description": "Example Division for EST enrollment",
"primary_rzone_id": "Your Primary Rendezvous zone ID (UUID)",
"user_ids": []
}'Successful response (200 OK):
{
"success": {
"code": "DIVISION_CREATED_200",
"verbose": "April 22-2026-API-Tutorial-Division-1 created successfully"
}
}
From the response, note down your Division name and save this information. You will need this when you are creating a Certificate management policy in Step 8.
Step 3: Create an authentication policy
Request
curl --location 'https://demo.one.digicert.com/devicetrustmanager/authentication-service/api/v1/authentication-policy' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'X-API-KEY: {ADMIN_API_KEY}' \
--data '{"name":"Example EST Auth Policy","description":"Example Authentication Policy for EST enrollment","account_id":"{ACCOUNT_ID}"}'Successful response (201 Created):
{
"id": "{Authentication policy ID (UUID)}",
"name": "{Unique authentication policy name}",
"account_id": "{UUID of the account that the policy belongs to}",
"description": "{Description of the authentication policy}",
"status": "{Authentication policy status}",
"created_at": "{Date and time the authentication policy was created. Format: UTC timezone and ISO 8601 format}",
"updated_at": "{Date and time the authentication policy was updated. Format: UTC timezone and ISO 8601 format}"
}
Step 4: Add a Passcode to your authentication policy
You can add the following types of authentication to your authentication policy:
- Add passcodes
- Add authentication certificates
- Add authentication CAs
However, for this tutorial, we will add Passcodes as the authentication type.
Request
curl --location 'https://demo.one.digicert.com/devicetrustmanager/authentication-service/api/v1/passcode' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'X-API-KEY: {ADMIN_API_KEY}' \
--data '{"description":"Example EST Passcode Description","name":"EST Passcode","generation_option":"AUTO","authentication_policy_id":"{AUTH_POLICY_ID}","account_id":"{ACCOUNT_ID}"}'Successful response (201 Created):
{
"id": "{Authentication passcode ID (UUID)}",
"alternate_id": "{Authentication passcode alternative ID}",
"name": "{Authentication passcode name}",
"account_id": "{Authentication passcode account ID}",
"description": "{Authentication passcode description}",
"status": "{Status of the authentication policy}",
"authentication_policy_id": "{ID of the authentication policy for which the passcode will be created}",
"authentication_policy_name": "{The name of the authentication policy}",
"authentication_policy_status": "{The status of the authentication policy}",
"created_at": "{Date on which the authentication passcode was created}",
"updated_at": "{Date on which the authentication passcode was updated}",
"passcode_hint": "{User-provided passcode hint}",
"registered_values": [],
"enable_username_for_passcode": false,
"passcode": "Passcode",
"passcode_updated": true,
"number_of_usage": 0
}
Step 5: Get the certificate template ID
Certificate templates are created and customized for your organization by DigiCert®. If no certificate templates appear on the
List certificate templates API endpoint, contact you DigiCert® account representative.Request
curl --request GET \
--url https://demo.one.digicert.com/devicetrustmanager/certificate-configuration-service/api/v1/certificate-template \
--header 'Accept: application/json'Successful response (200 OK):
{
"limit": 20,
"offset": 0,
"pagination": true,
"next": false,
"total": 1,
"records": [
{
"id": "{EXAMPLE TEMPLATE ID}",
"name": "Client Auth Example",
"body": {
"key_types": [
"rsa_2048",
"rsa_3072",
"rsa_4096",
"p_256",
"p_384",
"p_521",
"ed_25519"
],
"issue_types": [
"client_authentication",
"server_authentication"
],
"signature_algorithm": {
"allowed_algorithms": [
"sha1WithRSA",
"sha256WithRSA",
"sha384WithRSA",
"sha512WithRSA",
"sha256WithECDSA",
"sha384WithECDSA",
"sha512WithECDSA",
"sha3_256WithRSA",
"sha3_384WithRSA",
"sha3_512WithRSA",
"match_issuer"
],
"default_algorithm": "match_issuer"
},
"subject": {
"attributes": [
{
"type": "common_name",
"encoding": "auto",
"allowed_source": [
"csr",
"fixed_value",
"user_supplied"
]
},
{
"type": "organization_name",
"include": "optional",
"encoding": "auto",
"allowed_source": [
"csr",
"fixed_value",
"user_supplied"
]
},
{
"type": "organization_unit",
"include": "optional",
"encoding": "auto",
"allowed_source": [
"csr",
"fixed_value",
"user_supplied"
]
},
{
"type": "street_address",
"include": "optional",
"encoding": "auto",
"allowed_source": [
"csr",
"fixed_value",
"user_supplied"
]
},
{
"type": "postal_code",
"include": "optional",
"encoding": "auto",
"allowed_source": [
"csr",
"fixed_value",
"user_supplied"
]
},
{
"type": "locality",
"include": "optional",
"encoding": "auto",
"allowed_source": [
"csr",
"fixed_value",
"user_supplied"
]
},
{
"type": "state",
"include": "optional",
"encoding": "auto",
"allowed_source": [
"csr",
"fixed_value",
"user_supplied"
]
},
{
"type": "country",
"include": "optional",
"encoding": "auto",
"allowed_source": [
"csr",
"fixed_value",
"user_supplied"
]
},
{
"type": "email",
"include": "optional",
"encoding": "auto",
"allowed_source": [
"csr",
"fixed_value",
"user_supplied"
]
}
]
},
"extensions": {
"key_usage": {
"critical": true,
"allow_critical_override": true,
"required_usages": {
"rsa": [
"digital_signature",
"non_repudiation",
"key_encipherment",
"data_encipherment"
],
"ecdsa": [
"digital_signature",
"non_repudiation",
"key_agreement"
]
},
"optional_usages": {
"rsa": [
"digital_signature",
"non_repudiation",
"key_encipherment",
"data_encipherment"
],
"ecdsa": [
"digital_signature",
"non_repudiation",
"key_agreement"
]
}
},
"extended_key_usage": {
"critical": true,
"allow_critical_override": true,
"include": "optional",
"required_usages": [
{
"oid": "client_authentication",
"name": ""
}
],
"optional_usages": [
{
"oid": "server_authentication",
"name": ""
},
{
"oid": "code_signing",
"name": ""
},
{
"oid": "email_protection",
"name": ""
},
{
"oid": "smart_card_logon",
"name": ""
}
]
},
"san": {
"critical": false,
"dns_name": {
"include": "no",
"auto_include_cn": "no",
"allowed_source": [
"csr",
"fixed_value",
"user_supplied"
]
},
"user_principal_name": {
"include": "no",
"allowed_source": [
"csr",
"fixed_value",
"user_supplied"
]
},
"email": {
"include": "no",
"allowed_source": [
"csr",
"fixed_value",
"user_supplied"
]
}
}
},
"renewal_settings": {
"renew_valid_cert": "anytime",
"renew_expired_cert": "anytime",
"renew_revoked_cert": true,
"renewal_key_pair": "optional",
"allow_override_renewal_key_pair": true
},
"serial_number_size": 20,
"validity": {
"min_duration": {
"value": 10,
"unit": "DAYS"
},
"max_duration": {
"value": 5,
"unit": "YEARS"
},
"default_duration": {
"min": {
"value": 10,
"unit": "DAYS"
},
"max": {
"value": 5,
"unit": "YEARS"
}
}
}
},
"limit_by_accounts": true,
"accounts": [
{
"id": "<ACCOUNT_ID>",
"name": "<ACCOUNT_NAME>"
}
],
"format": "x509",
"certificate_type": "end_entity",
"created_at": "[Date and time the certificate template was created. Format: UTC timezone and ISO 8601 format}"
}
]
}
Step 6: Create a certificate profile for EST
Request
curl --location 'https://demo.one.digicert.com/devicetrustmanager/certificate-configuration-service/api/v1/certificate-profile' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'X-API-KEY: {ADMIN_API_KEY}' \
--data '{
"account_id": "{ACCOUNT_ID}",
"body": [
{
"key": "csr",
"optional": false,
"enabled": true,
"sources": [
"user_supplied"
],
"value": null
},
{
"key": "certificate_value",
"optional": false,
"enabled": true,
"sources": [
"fixed_value"
],
"value": "auto"
},
{
"key": "unique_certificate_value",
"optional": false,
"enabled": true,
"sources": [
"fixed_value"
],
"value": "no"
},
{
"key": "signature_algorithm",
"optional": false,
"enabled": true,
"sources": [
"fixed_value"
],
"value": "match_issuer"
},
{
"key": "allow_any_key_type",
"optional": false,
"enabled": true,
"sources": [
"fixed_value"
],
"value": "yes"
},
{
"key": "allowed_key_types",
"optional": false,
"enabled": true,
"sources": [
"fixed_value"
],
"value": [
"rsa_1024",
"rsa_2048",
"rsa_3072",
"rsa_4096",
"p_256",
"p_384",
"p_521",
"ed_25519",
"SLHDSA-SHAKE-128f",
"SLHDSA-SHAKE-128s",
"SLHDSA-SHA2-128f",
"SLHDSA-SHA2-128s",
"SLHDSA-SHA2-192f",
"SLHDSA-SHAKE-192f",
"SLHDSA-SHA2-192s",
"SLHDSA-SHAKE-192s",
"SLHDSA-SHA2-256s",
"SLHDSA-SHAKE-256f",
"SLHDSA-SHA2-256f",
"SLHDSA-SHAKE-256s"
]
},
{
"key": "subject.common_name",
"optional": true,
"enabled": true,
"sources": [
"user_supplied"
],
"value": ""
},
{
"key": "subject.organization_name",
"optional": true,
"enabled": false,
"sources": [],
"value": ""
},
{
"key": "subject.organization_unit",
"optional": true,
"enabled": false,
"sources": [],
"value": []
},
{
"key": "subject.street_address",
"optional": true,
"enabled": false,
"sources": [],
"value": []
},
{
"key": "subject.postal_code",
"optional": true,
"enabled": false,
"sources": [],
"value": ""
},
{
"key": "subject.locality",
"optional": true,
"enabled": false,
"sources": [],
"value": ""
},
{
"key": "subject.state",
"optional": true,
"enabled": false,
"sources": [],
"value": ""
},
{
"key": "subject.country",
"optional": true,
"enabled": false,
"sources": [],
"value": ""
},
{
"key": "subject.email",
"optional": true,
"enabled": false,
"sources": [],
"value": ""
},
{
"key": "validity.duration_unit",
"optional": false,
"enabled": true,
"sources": [
"fixed_value"
],
"value": "years"
},
{
"key": "validity.duration_value",
"optional": false,
"enabled": true,
"sources": [
"fixed_value"
],
"value": 10
},
{
"key": "key_usage.rsa_additional_values",
"optional": true,
"enabled": false,
"sources": [],
"value": []
},
{
"key": "key_usage.ecdsa_additional_values",
"optional": true,
"enabled": false,
"sources": [],
"value": []
},
{
"key": "extended_key_usage.additional_values",
"optional": true,
"enabled": false,
"sources": [],
"value": []
},
{
"optional": false,
"enabled": true,
"sources": [
"fixed_value"
],
"key": "renewal_settings.renew_valid_cert",
"value": "anytime"
},
{
"optional": false,
"enabled": true,
"sources": [
"fixed_value"
],
"key": "renewal_settings.renew_expired_cert",
"value": "anytime"
},
{
"optional": false,
"enabled": true,
"sources": [
"fixed_value"
],
"key": "renewal_settings.renew_revoked_cert",
"value": true
},
{
"optional": false,
"enabled": true,
"sources": [
"fixed_value"
],
"key": "renewal_settings.renewal_key_pair",
"value": "optional"
}
],
"certificate_template_id": "{CERTIFICATE_TEMPLATE_ID}",
"name": "Example Certificate Profile for EST Enrollment",
"ca_connector_type": "digicert_one",
"divisions": [],
"omit_primitive_encoding": false,
"certificate_type": "end_entity"
}'Successful response (201 Created):
{
"id": "{Certificate profile ID (UUID)}",
"name": "{Unique certificate profile name}",
"account_id": "{ID of the account the certificate profile is for (UUID)}",
"certificate_template": {
"id": "{Certificate template ID (UUID)}",
"name": "{Certificate template name}"
},
"allow_bare_public_key": false,
"created_at": "{Date and time the certificate profile was created. Format: UTC timezone and ISO 8601 format}",
"status": "ACTIVE",
"body": [
{
"key": "certificate_value",
"optional": false,
"sources": [
"fixed_value"
],
"value": "auto",
"enabled": true
},
{
"key": "unique_certificate_value",
"optional": false,
"sources": [
"fixed_value"
],
"value": "no",
"enabled": true
},
{
"key": "signature_algorithm",
"optional": false,
"sources": [
"fixed_value"
],
"value": "match_issuer",
"enabled": true
},
{
"key": "allow_any_key_type",
"optional": false,
"sources": [
"fixed_value"
],
"value": "yes",
"enabled": true
},
{
"key": "allowed_key_types",
"optional": false,
"sources": [
"fixed_value"
],
"value": [
"rsa_1024",
"rsa_2048",
"rsa_3072",
"rsa_4096",
"p_256",
"p_384",
"p_521",
"ed_25519",
"SLHDSA-SHA2-128s",
"SLHDSA-SHAKE-128s",
"SLHDSA-SHAKE-128f",
"SLHDSA-SHA2-128f",
"SLHDSA-SHA2-192f",
"SLHDSA-SHAKE-192s",
"SLHDSA-SHA2-192s",
"SLHDSA-SHAKE-192f",
"SLHDSA-SHAKE-256s",
"SLHDSA-SHA2-256f",
"SLHDSA-SHA2-256s",
"SLHDSA-SHAKE-256f"
],
"enabled": true
},
{
"key": "subject.common_name",
"optional": true,
"sources": [
"user_supplied"
],
"enabled": true
},
{
"key": "subject.organization_name",
"optional": true,
"sources": [],
"enabled": false
},
{
"key": "subject.organization_unit",
"optional": true,
"sources": [],
"enabled": false
},
{
"key": "subject.street_address",
"optional": true,
"sources": [],
"enabled": false
},
{
"key": "subject.postal_code",
"optional": true,
"sources": [],
"enabled": false
},
{
"key": "subject.locality",
"optional": true,
"sources": [],
"enabled": false
},
{
"key": "subject.state",
"optional": true,
"sources": [],
"enabled": false
},
{
"key": "subject.country",
"optional": true,
"sources": [],
"enabled": false
},
{
"key": "subject.email",
"optional": true,
"sources": [],
"enabled": false
},
{
"key": "validity.duration_unit",
"optional": false,
"sources": [
"fixed_value"
],
"value": "years",
"enabled": true
},
{
"key": "validity.duration_value",
"optional": false,
"sources": [
"fixed_value"
],
"value": 10,
"enabled": true
},
{
"key": "key_usage.rsa_additional_values",
"optional": true,
"sources": [],
"enabled": false
},
{
"key": "key_usage.ecdsa_additional_values",
"optional": true,
"sources": [],
"enabled": false
},
{
"key": "extended_key_usage.additional_values",
"optional": true,
"sources": [],
"enabled": false
},
{
"key": "renewal_settings.renew_valid_cert",
"optional": false,
"sources": [
"fixed_value"
],
"value": "anytime",
"enabled": true
},
{
"key": "renewal_settings.renew_expired_cert",
"optional": false,
"sources": [
"fixed_value"
],
"value": "anytime",
"enabled": true
},
{
"key": "renewal_settings.renew_revoked_cert",
"optional": false,
"sources": [
"fixed_value"
],
"value": true,
"enabled": true
},
{
"key": "renewal_settings.renewal_key_pair",
"optional": false,
"sources": [
"fixed_value"
],
"value": "optional",
"enabled": true
}
],
"ca": [],
"enrollment_methods": [],
"certificate_format": "x509",
"certificate_type": "end_entity",
"ca_connector_type": "digicert_one",
"omit_primitive_encoding": false,
"divisions": []
}
Step 7: List the available issuing CAs
Issuing CAs are configured by your DigiCert® account representative in DigiCert® Private CA using the information provided when signing up. If no Issuing CAs appear on your list, contact you DigiCert® account representative.
Before you can create a certificate management policy, you must identify the Issuing CA that will sign certificates to devices.
Once you identify the Issuing CA, save the id value. You will need this when you are creating a certificate management policy in Step 8.
Step 8: Create a certificate management policy
Key required settings:
- certificate_management_methods: [“EST”]
- key_generation_option: client_side
- authentication_policy_id: {AUTH_POLICY_ID}
Request
curl --location 'https://demo.one.digicert.com/devicetrustmanager/certificate-configuration-service/api/v2/certificate-policy' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'X-API-KEY: {ADMIN_API_KEY}' \
--data '{
"certificate_management_methods": [
"EST"
],
"est_cacerts_include_full_tls_chain": false,
"est_request_parameters": {
"support_cmc": false,
"renewal_authentication_mode": "RENEWING_CERTIFICATE_ONLY"
},
"name": "Example Certificate Management Policy for EST Enrollment",
"ica_id": "{ISSUING_CA_ID}",
"certificate_profile_id": "{CERTIFICATE_PROFILE_ID}",
"division_id": "{DIVISION_ID}",
"require_device_group_for_enroll": "false",
"require_approval_for_enroll": false,
"key_generation_option": "client_side",
"authentication_policy_id": "{AUTH_POLICY_ID}",
"allowed_ip_addresses": []
}'Successful response (201 Created):
{
"name": "{Name of the certificate management policy}",
"certificate_management_methods": [
"EST"
],
"enrollment_methods": [
"EST"
],
"allowed_ip_addresses": [],
"key_generation_allow_to_change": false,
"key_generation_option": "client_side",
"allow_pre_generated_keys": false,
"ca_connector_type": "digicert_one",
"assign_to_authcert_device": false,
"allow_key_cache": false,
"division_id": "{ID of the division this certificate policy uses for certificate requests}",
"require_approval_for_enroll": false,
"require_approval_for_renew": false,
"notification_email_list": [],
"digest_email_notification_period": "do_not_send",
"require_digital_signing": false,
"new_batch_flow": true,
"est_request_parameters": {
"support_cmc": false,
"renewal_authentication_mode": "RENEWING_CERTIFICATE_ONLY"
},
"require_device_group_for_enroll": false,
"migrated_to_new_params": false,
"authentication_policy": {
"id": "{Authentication policy ID}"
},
"scep_get_ca_cert_response_with_root": false,
"scep_get_ca_cert_response_der_format": false,
"est_cacerts_include_full_tls_chain": false,
"id": "{ID}",
"certificate_profile": {
"id": "{ID of the certificate profile this certificate policy uses for certificate requests}",
"name": "{Name of the certificate profile}"
},
"created_at": "{Date the certificate policy is created. Format: YYYY-MM-DD}",
"ica": {
"id": "{ID of the ICA that issues certificates requested through the certificate policy}",
"name": "{Name of the ICA}"
},
"status": "ACTIVE",
"allowed_signature_algorithms": [
"sha1WithRSA",
"sha256WithRSA",
"sha384WithRSA",
"sha512WithRSA",
"sha3_256WithRSA",
"sha3_384WithRSA",
"sha3_512WithRSA",
"sha256WithRSAPSS",
"sha384WithRSAPSS",
"sha512WithRSAPSS"
],
"direct_mapping": false,
"account_id": "{Account ID}",
"certificate_type": "end_entity",
"approvers": [],
"ca_body": "--BEGIN CERTIFICATE-- --END CERTIFICATE--",
"ca_chain": [
{
"cert_type": "intermediate",
"blob": "--BEGIN CERTIFICATE-- --END CERTIFICATE--",
"common_name": "ICA-Exported"
},
{
"cert_type": "root",
"blob": "--BEGIN CERTIFICATE-- --END CERTIFICATE--",
"common_name": "RSA-Export"
}
],
"certificate_template": {
"id": "{certificate_template_ID}",
"name": "{Name of the certificate template}"
},
"require_approval_for_revoke": false,
"alternative_id": "{alternative_id}"
}
Step 9: Obtain the EST enroll endpoint
EST endpoints are currently obtained through the UI and are not exposed through an API.
- Sign in to Device Trust Manager UI. See Sign in for instructions.
- In the Device Trust Manager menu, go to Certificate management > Certificate settings > Certificate management policies.
- Select the EST certificate management policy you have created.
- On the Certificate management policy details page, navigate to the EST section.
- Under the EST section, copy the Enroll endpoint URL.
The following examples use one.digicert.com. However your hostname may be different. See Platform IP addresses and URLs for a list of platform hostnames by region.
Your EST Enroll endpoint should resemble the example below:
https://clientauth.demo.one.digicert.com/.well-known/est/{enrollment_profile_id}/simpleenroll
Step 10: Request EST
For requesting EST, see EST enrollment for a detailed documentation.
You can use curl and other third-party EST clients to request EST; however, as both TrustCore SDK and TrustEdge include an EST client that works with Device Trust Manager, we recommend you follow the EST enrollment documentation.
Response
- Upon verifying the client’s authentication credential and the integrity of the CSR, Device Trust Manager processes the certificate request
- If the request is valid, then Device Trust Manager issues a certificate for the client
- If the client requests server-side generated keys, the response includes the private key along with the issued certificate, which is securely transmitted back to the client over an encrypted session
- The client can then store the certificate and use it for secure communications
Certificate decoding guidance
Standard Linux environments and the curl command-line tools do not natively support EST (Enrollment over Secure Transport) clients. As a result, you may encounter difficulties when attempting to process certificates using these commands or tools. To simplify certificate inspection and improve readability, we recommend using a PKCS7 Certificate Decoder. This tool allows you to upload certificates and view their contents in a structured, readable, PKCS7 format.
Step 11: Obtain the EST reenroll endpoint
The reenrollment process is a specialized endpoint within the EST protocol, used specifically for renewing existing certificates. EST endpoints are currently obtained through the UI and are not exposed through an API.
- Sign in to Device Trust Manager UI. See Sign in for instructions.
- In the Device Trust Manager menu, go to Certificate management > Certificate settings > Certificate management policies.
- Select the EST certificate management policy you have created.
- On the Certificate management policy details page, navigate to the EST section.
- Under the EST section, copy the Reenroll endpoint URL.
Your EST Reenroll endpoint should resemble the example below:
https://clientauth.demo.one.digicert.com/.well-known/est/{enrollment_profile_id}/simplereenroll
Authentication
For reenrollment, the client must present the certificate that is due for renewal as an authentication certificate in the request.
CSR submission
The client submits a CSR during the reenrollment process. However, all identity fields within the CSR (such as Distinguished Name and Subject Alternative Names) are ignored. This is because the renewed certificate must maintain the same identity as the original certificate being renewed.
Certificate updates
The primary changes that occur during reenrollment include the assignment of a new certificate serial number and the establishment of new validity dates (start and end) for the renewed certificate.
The following is a sample CURL reenroll using certificate authentication. The certificate used for authentication must be the certificate you are renewing:
curl --location https://clientauth.one.digicert.com/.well-known/est/devicetrustmanager/IOT_b0c9be31-6160-4fc5-9041-84b71a4c02fe/simplereenroll \
--cert "certificate.pem" \
--key "private.pem" \
--header "Content-Type: application/pkcs10" \
--data-binary @csr.pem(Optional) Use EST with device management
You can use EST to register devices into a device group and issue bootstrap certificates to devices. Registered devices are listed under Device management > Devices, allowing centralized management and control. This feature is available with the Device Trust Manager Advanced plan.
If you are already on the Device Trust Manager Advanced plan, perform the following steps:
- Sign in to Device Trust Manager Manager UI. See Sign in for instructions.
- In the Device Trust Manager menu, go to Device management > Device groups.
- Select a device group to view its details.
- Go to the Policy assignments pane.
- Select Assign policy.
- Select Policy usage.
- Select Bootstrap under Policy usage.
- Provide a name for the policy.
- Assign the certificate management policy to a device group.
Once you have linked the EST certificate management policy to a device group, you can use EST to register devices in the device group and issue bootstrap certificates to devices. The EST URL must be modified to include device-group/{device-group-id}.
Example:
https://clientauth.one.digicert.com/.well-known/est/devicetrustmanager/{enrollment_profile_id}/device-group/{device-group-id}/simpleenroll
Was this page helpful?
Provide feedback