Open Simkiw opened 8 months ago
toddgaunt-gs
commented
7 months ago Hello Simkiw,
We already support generating the CSR in another command, estclient csr which defaults to stdout, which can be used together with estclient enroll to get a certificate issued from an EST server. Does this not suit your use case?
Regards, Todd Gaunt
61131
commented
7 months ago @toddgaunt-gs - The request for client generation of CSR at run-time based upon tls-unique (TLSv1.2) or tls-exporter (TLSv1.3) is in line with RFC 7030 requirements for linking identity and client proof-of-possession of the CSR private key. See Section 3.5 of RFC 7030 for details. While not mandatory, this functionality is highly useful to ensure the authenticity of the EST request.
Simkiw
commented
7 months ago Exactly @61131
@toddgaunt-gs , I actually looked at the client implementation too.
I have seen no flags for the challenge password, which is supposed to hold the TLS-unique for TLS 1.2 and, I guess tls-exporter for TLS 1.3 (the RFC 7030 has not updated it yet)
And no sign of it in pemfile package as well.
toddgaunt-gs
commented
7 months ago Thanks for the clarification both of you. This would be useful feature to implement indeed. Since this is meant as an example EST service and we don't use this functionality in our own environment this likely won't be prioritized for implementation, however I'd be happy to accept a PR implementing this functionality and to get another developer and myself to review it.
Simkiw
commented
7 months ago Sure,
I can give myself a shot :)
Hello,
The package implements different APIs of EST protocol.
It expects the CSR to be ready for use, like in the enroll method.
Is it possible to generate the CSR at runtime?
And can we fetch the TLS unique value from the current client implementation?
Typical use-case: include TLS-unique value (in TLS 1.2) Such as, after establishing the TLS connection between server and client,
Thank you very much