1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
|
This directory contains a sample EST client application. It utilizes
OpenSSL for the SSL stack to be used for HTTP requests, libest for
the EST stack, and OpenSSL for certificate and crypto operations.
This README assumes the example EST server is already running on the
local host and listening to port 8085.
To build the example on Windows:
Prerequisite: EST sample applications make use of the GNU getopt library for command line
argument parsing. The getopt library is not a part of the C library provided with
Microsoft Visual Studio. An open source port for getopt exists under the LGPL3 license
and must be acquired separately at the link provided below:
http://www.codeproject.com/Articles/157001/Full-getopt-Port-for-Unicode-and-Multibyte-Microso
Download the archive which provides the two source files getopt.c and getopt.h and place both
source files into the "util" directory.
1. Set the following environment variables to tell the Gradle build script
where to find your installations of OpenSSL and EST
EST_DIR - must contain the est.lib link file and est.dll binary
set EST_DIR=C:\PathToYourLibraryInstalls\EST
SSL_DIR - must contain an "include" subdirectory for the OpenSSL header files,
a "bin" subdirectory for the OpenSSL dll binaries, and a "lib" subdirectory
for the OpenSSL link files
set SSL_DIR=C:\PathToYourLibraryInstalls\OpenSSL
PATH - must contain the path to your Visual Studio 2013 VC bin directory
prior to any other Visual Studio bin directory and the path to
your Gradle executable (which should already be in PATH)
set PATH=C:\Program Files (x86)\Microsoft Visual Studio 12.0\VC\bin;%PATH%
2. From the "example" directory, type:
gradle -b build_examples.gradle clean
to clean out any prior builds and then:
gradle -b build_examples.gradle build
to build both estclient and estclient_simple executables.
The executables are placed in the directory shown below:
example\build\exe\estclient\estclient.exe
example\build\exe\estclient_simple\estclient_simple.exe
To run the example:
1. Set LD_LIBRARY_PATH to include the directories where libest.so
and libcrypto.so are installed.
export LD_LIBRARY_PATH=/usr/local/ssl/lib:/usr/local/est/lib
On Windows, set the PATH environment variables to where
libeay32.dll and ssleay32.dll are installed and where est.dll
is installed.
set PATH=C:\PathToYourLibraryInstalls\EST;C:\PathToYourLibraryInstalls\OpenSSL\bin;%PATH%
2. Set the following environment variable to specify the location
of the file containing the CA certificates used for verifying
the server. In this example we use the trusted certs for
the example EST server:
export EST_OPENSSL_CACERT=../server/estCA/cacert.crt
On Windows, the command would appear as follows:
set EST_OPENSSL_CACERT=..\server\estCA\cacert.crt
3. Produce a new private key, connect to the EST server listening on port 8085,
and request a new certificate. The example EST server uses the user ID and
password estuser/estpwd:
./estclient -e -s 127.0.0.1 -p 8085 -u estuser -h estpwd -o /tmp
Note: The new private key is stored at /tmp/key-x-x.pem.
To check the cert response, use this command:
openssl base64 -d -in /tmp/cert-0-0.pkcs7 | \
openssl pkcs7 -inform DER -text -print_certs
Instead of producing a new key along with a (re-)enrollment request,
you may use an existing key stored in a PEM file
or generate a fresh one yourself, using for instance the following command:
openssl ecparam -name prime256v1 -genkey -out privkey.pem
To use an existing private key for the CSR, supply it using the -x option:
./estclient -e -s 127.0.0.1 -p 8085 -u estuser -h estpwd -x privkey.pem -o /tmp
You may also use an existing CSR for enrollment, supplied using the -y option:
./estclient -e -s 127.0.0.1 -p 8085 -u estuser -h estpwd -y req.p10 -o /tmp
4. Optionally you can request attributes as a single request or as
part of the enroll. For a simple attributes request use the
following command:
./estclient -a -s 127.0.0.1 -p 8085 -o /tmp
To view the list attributes obtained this way, you may use:
openssl base64 -d -A -in /tmp/csr-0-0.base64 | \
openssl asn1parse -inform DER
Then you can perform the enroll using this command:
./estclient -e -a -s 127.0.0.1 -p 8085 -u estuser -h estpwd -o /tmp
5. Optionally, you can use a certificate to identify the EST client
to the server instead of specifying the HTTP user name/password.
Now that you've enrolled a certificate in step #3
above, you can use that certificate to enroll again. Note, your
EST server should be configured not to force HTTP authentication.
First, convert the pkcs7 cert from step 3 to a PEM cert:
openssl base64 -d -in /tmp/cert-0-0.pkcs7 | \
openssl pkcs7 -inform DER -print_certs -out /tmp/cert-0-0.pem
Next, save the private key:
cp /tmp/key-x-x.pem /tmp/savekey.pem
Next, use this cert as identity to do another enroll operation:
./estclient -e -s 127.0.0.1 -p 8085 -c /tmp/cert-0-0.pem \
-k /tmp/savekey.pem -o /tmp
Note: RFC 7030 requires the certificate to be encoded as base64 PKCS7. This encoding isn't
very useful for most applications. The estclient includes the --pem-output option as
a convenience to convert the newly enrolled certificate to PEM format. When not using
the --pem-output option, the following OpenSSL command can be used to convert
base64 PKCS7 to PEM:
openssl base64 -d -in /tmp/newcert.pkcs7 | \
openssl pkcs7 -inform DER -print_certs -out /tmp/savecert.pem
|
