we are trying to enroll client certificates for Cisco IOS routers via EST protocol. We use RAs connected with SubCAs cluster via PeerConnect, so all the EST requests are proxied via RA to SubCA. On SubCA cluster we created dedicated EST CA for issuing these client certificates.
We tested this concept and everything is working fine, except one thing. EST runs over TLS. The protocol needs to authenticate the client before allowing an enrollment request. So we were forced to import the whole chain of trust (Root CA, SubCA certificates) to router.
On router there are SUDI certificates issued by Cisco (Public Root CAs). We want to use these certificates to create the initial TLS connection for EST enrollment. How can we add the certificates from Cisco CAs to be trusted by our PKI SubCAs and RAs