search

globalsign / est

An implementation of the Enrollment over Secure Transport (EST) certificate enrollment protocol
MIT License
42 stars 25 forks source link

Support Custom URL strings #25

Closed brokoler closed 1 year ago

brokoler commented 2 years ago

Hello,

I'm trying to use the estclient for certificate enrollment together with an Aruba Clearpass server, which also provides an EST URL.

After installing the estclient successfully, I downloaded all required server certificates to my linux host and tried to enroll a certificate. Since the Clearpass URL doesn't listen on https://<EST-SERVER-IP-ADDRESS>/.well-known/est/simpleenroll but instead listens to https://<EST-SERVER-IP-ADDRESS>/.well-known/est/ca:<NUMBER> it's not possible to enroll a certificate.

The estclient only expects the server IP address and the listening port and appends the string /.well-known-est-simpleenroll automatically, so no custom paths are supported.

Feature request:

toddgaunt-gs commented 1 year ago

Hello @brokoler, sorry you didn't get a response sooner. The estclient was designd this because of the specification of the EST RFC. That section of the url ca:<NUMBER> can be included with this client using the -aps flag when enrolling. This is the additional path segment mentioned in RFC 7030 3.2.2.

Since this is supported, I don't think a -server flag is warranted. Hopefully this solves your problem!