cisco / libest

Other
98 stars 94 forks source link

Please explain how the estclient's -g option works #95

Closed vochong closed 4 years ago

vochong commented 4 years ago

Hello, The estclient has the option "- -g Get CA certificate from EST server". However, if I tried to retrieve it, it showed the message "CACERT file not set, set EST_OPENSSL_CACERT to resolve". If I set the env variable to the ../server/estCA/cacert.crt, it would be able to retrieve it, and the retrieved CA certificate is identical to the cacert as specified in the env variable.

I thought the option "-g" would directly retrieve the CA cert from the EST server, instead of copying it from the file in the env variable. Could you please clarify it?

Thanks, Eric

$ ./estclient -g -s 127.0.0.1 -p 8085 -o /tmp/

CACERT file not set, set EST_OPENSSL_CACERT to resolve

$ export EST_OPENSSL_CACERT=../server/estCA/cacert.crt

$ ./estclient -g -s 127.0.0.1 -p 8085 -o /tmp/ --pem-output

$ ls -la /tmp/cacert-0-0.pem

/tmp/cacert-0-0.pem is identical to ../server/estCA/cacert.crt

rpb5bnc commented 4 years ago

Hello Eric,

The -g option does retrieve the CA certificates from the EST server.

The EST protocol is defined to run on top of TLS. EST mandates that the EST client must verify the server certificate received from the EST server when the underlying TLS connection is established. In order for the EST client to perform this server certificate verification it must first be given the necessary CA certificate(s) needed to perform the verfication. The EST_OPENSSL_CACERT environment variable is used to pass down the CA certificate to the TLS function within OpenSSL so that it can verify the server certificate during the GET /cacerts request.

When using the '-v' option for both the estclient and estserver application the logs will show that a connection has been established, the GET /cacerts request is sent by the estclient app, the estserver app receives the request and sends back the configured CA certificates.

Hope this helps, Pete