Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-6653

EST re-enrollment should not also require username and password authentication


    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: EJBCA 6.12.0
    • Component/s: None
    • Labels:
    • Issue discovered during:
    • Sprint:
      EJBCA Sprint 9


      A typical EST work-flow can look like:

      EST Alias:

      • Management CA,
      • Authentication
      • ENDUSER
      • Not require client cert
      • Username and password
      • Allow Certificate Renewal with Same Keys

      Get CA certificate, by "RA:
      ./estclient -g -s -p 8442 -o certs --pem-output

      openssl x509 -in certs/cacert-0-0.pem -text|less

      Get client certificate, by "RA", authenticated with username/password
      ./estclient -e -s -p 8442 -o certs -u estadmin -h foo123 --pem-output --common-name myclient

      openssl x509 -in certs/cert-0-0.pem -text|less

      Re-enroll, directly by the client when certificate is about to expire, using the old client cert to authenticate with:
      ./estclient -r -s -p 8443 -o certs -c certs/cert-0-0.pem -k certs/key-x-x.pem --pem-output

      openssl x509 -in certs/cert-0-0.pem -text|less

      Revoke the clients certificates.

      Try to re-enroll again, does not work to re-enroll with revoked certificates.
      ./estclient -r -s -p 8443 -o certs -c certs/cert-0-0.pem -k certs/key-x-x.pem --pem-output

      In order to use the RA, we use username and password authentication. Re-enrollment always require client cert authentication, so we don't have to have that enabled for the RA to enroll. When the client want to re-enroll however, it should not have the username/password that the RA uses. The client should only authentication with it's old certificate.


          Issue Links



              • Assignee:
                tomas Tomas Gustavsson
                tomas Tomas Gustavsson
                Verified by:
                Mike Agrenius Kushner
              • Votes:
                0 Vote for this issue
                2 Start watching this issue


                • Created: