There are issues with the enrollment protocols used today to distribute trusted identities to things. The latest standardized certificate enrollment protocol, Enrollment over Secure Transport (EST), solves these problems. “We are happy to announce that we are one of the first in the world to launch server-side support for EST in a commercially available certificate authority (CA) software,” says Martin Furuhed at identity and security company Nexus Group.
Things and software need trusted identities to be able to communicate securely and avoid hijacking. The trustworthiness of the identities is ensured by digital certificates, which are obtained either manually or via online services using different certificate enrollment protocols.
“EST offers a more streamlined process and is easier to handle than the certificate enrollment protocols that are used today. EST is also more secure and comprehensive,” says Martin Furuhed, product owner of Nexus Certificate Manager, one of the first commercial CA softwares to provide support for EST.
The widely used certificate enrollment protocol Simple Certificate Enrollment Protocol (SCEP) has no support for server-side generation and distribution of keys, and its functionality for renewing client and CA certificates is deficient.
“Another problem with SCEP is that it is not standardized, so there are different implementations that can have problems working together. All of these issues are resolved with EST,” says Furuhed.
The certificate enrollment protocols Certificate Management Protocol (CMP) and Certificate Management over CMS (CMC) are standardized and have good functionality – but they are more complex to implement in clients compared to EST and SCEP and have quite a low use rate in less capable devices.
“Another important benefit of EST is that it enables the use of Elliptic Curve Cryptography (ECC), which is a more lightweight cryptosystem than RSA, making it more suitable for resource constrained devices.”
EST also offers re-enrollment for obtaining new client certificates as well as updating of CA certificates, which is important for life-cycle handling of devices and for meeting security requirements for the internet of things (IoT), according to Furuhed.
“The fact that EST speeds up the procedures and reduce the need for manual intervention makes it feasible to manage highly complex IoT environments. And in less complex environments, automatization reduces costs and improves security. We think that EST will become the most widely used protocol for obtaining and renewing certificates.”
But to get a new protocol rolling is a bit of a challenge. If there is a lack of server-side support, manufacturers are reluctant to implement client-support – and if there are few clients supporting the protocol, CA software suppliers are hesitant to invest in the development of server-side support.
EST was standardized in 2013 as RFC 7030, with Cisco as the main contributor, and Cisco has built a reference implementation for testing purposes.
“Nexus is among the very first companies with EST support in a commercial product. To us it is important to always be in the forefront,” says Furuhed.
Nexus is also collaborating with the Swedish non-profit research organization RISE SICS on a new, super light-weight and fully automated certificate enrollment protocol, which will be used to give really resource-constrained things trusted identities.
“EST is perfect for things such as ATMs, surveillance cameras, routers, servers and smart home devices. Now that there are commercial EST servers available, we believe the number of manufacturers that will build client support for EST will grow quickly. It is also possible to incorporate EST support with a firmware upgrade for existing devices,” says Furuhed.
It is not possible to automatically revoke certificates via EST. This has to be done via the CA software, and to make it as easy and streamlined as possible, Nexus is releasing a REST API for Certificate Manager.
“The REST API enables customers and developers to more easily build customizations for registration of devices and revocation of certificates. The REST API is one of several alternatives for administrators to make use of services in Certificate Manager,” says Furuhed.