EST enrollment of application certificates using CLI

Prerequisite:

  • Ensure IDEVID certificate is present in the switch.

  • Add IDEVID root certificate to the trusted certificate list of the EST server.

  • Add EST server root certificate to the switch TA profile.

  • Synchronize time between the switch and the EST server.

Following is the workflow for manual configuration of EST enrollment for application certificate:

  1. Manually configure EST server profile such as profile name, server URL, retry interval, retry count, and authorization mechanism. The switch connects with EST server through the configured URL.

    To configure the EST server, see Configuration commands.

  2. Create a TA profile, certificate name with CSR attributes, and initiate enrollment, using following command:

    crypto pki enroll-est-cert <profile-name> certificate-name <cert-name> ta-profile <ta-profile-name> key-type usage subject

    NOTE:

    • The entered CSR attributes are stored in the configuration records.

    • The switch sends GET/cacerts request to the EST server. CA certificate sent by the server is installed in the switch with the TA profile created in step 2.

    • Installed IDEVID certificates establish mutual TLS session between the switch and the EST server.

    • If a client tries to access the EST server database without authentication, the switch displays the 401 unauthorized access error with nonce, qop, and realm messages.

  3. Generate CSR and send POST/simpleenroll request to EST server.

  4. Validate that the certificate is signed with CA certificate installed in step 2.

  5. Install the application certificate with certificate name configured in step 2.