forked from cisco/libest
-
Notifications
You must be signed in to change notification settings - Fork 1
Certificate Enrollment with libEST Container
Endi S. Dewata edited this page Jan 24, 2023
·
4 revisions
This page describes the certificate enrollment process using libEST that runs in a container.
$ podman run \
--name client \
--hostname client.example.com \
--network example \
--network-alias client.example.com \
-it \
--detach \
quay.io/dogtagpki/libest
To get the CA certificate chain:
$ podman exec client curl -o cacert.p7 -k https://pki.example.com:8443/.well-known/est/cacerts
To convert the certificate chain into DER format:
$ podman exec client openssl base64 -d --in cacert.p7 --out cacert.p7.der
To convert the DER certificate chain into PEM certificates:
$ podman exec client openssl pkcs7 --in cacert.p7.der -inform DER -print_certs -out cacert.pem
To inspect the certificates:
$ podman exec client openssl x509 -in cacert.pem -text -noout
To enroll a certificate:
$ podman exec -e EST_OPENSSL_CACERT=cacert.pem client estclient \
-e \
-s pki.example.com \
-p 8443 \
--common-name client.example.com \
-o . \
-u <username> \
-h <password>
The certificate chain will be stored in cert-0-0.pkcs7.
To convert the certificate chain into DER format:
$ podman exec client openssl base64 -d --in cert-0-0.pkcs7 --out cert-0-0.pkcs7.der
To convert the DER certificate chain into PEM certificates:
$ podman exec client openssl pkcs7 -in cert-0-0.pkcs7.der -inform DER -print_certs -out cert.pem
To inspect the certificates:
$ podman exec client openssl x509 -in cert.pem -text -noout