Generate CSR at runtime

[Simkiw]

Hello,

The package implements different APIs of EST protocol.
It expects the CSR to be ready for use, like in the enroll method.

Is it possible to generate the CSR at runtime?
And can we fetch the TLS unique value from the current client implementation?

Typical use-case: include TLS-unique value (in TLS 1.2)
Such as, after establishing the TLS connection between server and client,

1. the TLS unique value can be retrieved from the client
2. the TLS unique value can included in the CSR
3. The CSR can be signed with my private key
4. Pass the signed CSR to the EST enroll method

Thank you very much

[toddgaunt-gs]

Hello Simkiw,

We already support generating the CSR in another command, estclient csr which defaults to stdout, which can be used together with estclient enroll to get a certificate issued from an EST server. Does this not suit your use case?

Regards,
Todd Gaunt

[61131]

@toddgaunt-gs - The request for client generation of CSR at run-time based upon tls-unique (TLSv1.2) or tls-exporter (TLSv1.3) is in line with RFC 7030 requirements for linking identity and client proof-of-possession of the CSR private key. See Section 3.5 of RFC 7030 for details. While not mandatory, this functionality is highly useful to ensure the authenticity of the EST request.

[Simkiw]

Exactly @61131

@toddgaunt-gs , I actually looked at the client implementation too.
I have seen no flags for the challenge password, which is supposed to hold the TLS-unique for TLS 1.2 and, I guess tls-exporter for TLS 1.3 (the RFC 7030 has not updated it yet)
And no sign of it in pemfile package as well.

[toddgaunt-gs]

Thanks for the clarification both of you. This would be useful feature to implement indeed. Since this is meant as an example EST service and we don't use this functionality in our own environment this likely won't be prioritized for implementation, however I'd be happy to accept a PR implementing this functionality and to get another developer and myself to review it.

[Simkiw]

Sure,
I can give myself a shot :)