toddgaunt-gs
commented
7 months ago After a brief skim of the EST RFC, it looks like there is this option in 7.3.3
"If the certificate to be renewed or rekeyed is appropriate for the negotiated cipher suite, then the client MUST use it for the TLS handshake, otherwise the client SHOULD use an alternate certificate that is suitable for the cipher suite and contains the same subject identity information."
I think supporting such a use-case is beyond the scope of the original intent of this project, but if there is a patch you or someone else would be interested in submitting that would allow you to use the EST server implementation that makes such work easier I'd be happy to review it.
During reenrollment it is required that the certificate used to authenticate, must be same as obtained during enrollment. Unfortunately it cannot work in a case when est server is communicating with client which is not using this cert directly.
E.g. when EST server is communicating with a registrar from this RFC: https://datatracker.ietf.org/doc/html/rfc9148#name-https-coaps-registrar In mentioned case Registrar cannot use certificate obtained during enrollment as it is EST client's certificate, and private key of this client is not available on Registrar.
It would be nice to disable such check by introducing some flag to config, so it could be turned off in that case.