Certificate Enrollment Using EST

EST supports automatic enrollment of certificates with the EST Server. The certificates can be enrolled or re-enrolled automatically by configuring an EST profile on the Instant AP.

Certificate Enrollment with EST allows users to use their own PKI Public Key Infrastructure. PKI is a security technology based on digital certificates and the assurances provided by strong cryptography. See also certificate authority, digital certificate, public key, private key. instead of the factory or self-signed certificates available on the Instant AP. This enables the user to have maximum visibility and control over the management of the PKI Public Key Infrastructure. PKI is a security technology based on digital certificates and the assurances provided by strong cryptography. See also certificate authority, digital certificate, public key, private key. used and address any issues related to security by themselves in a scaled environment.

Configuring EST on the Instant AP

You can configure only one EST profile at a time on an Instant AP:

This section describes the following topics:

Prerequisites

Before configuring EST, ensure you complete the following prerequisites:

  1. Import the CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. or signing authority of EST server's SSL Secure Sockets Layer. SSL is a computer networking protocol for securing connections between network application clients and servers over the Internet. certificate on the Instant AP. For more information, refer to Authentication Certificates.
  2. Ensure time synchronization between all the devices involved in EST enrollment. For more information on time synchronization, refer to NTP Server.
  3. If EST profile contains an FQDN Fully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet. as the server host, ensure that the DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. Server and domain name are configured on the enrolling devices. For information on configuring a DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. Server and a DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. name, refer to Configuring DHCP Scopes.
  4. If the EST server port is different from the default Port 443, ensure the corporate firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. allows the configured port.
  5. Ensure that the server-host configured as part of the EST profile matches the Common Name or SubjectAltName fields of the EST Server’s certificate which is used during SSL Secure Sockets Layer. SSL is a computer networking protocol for securing connections between network application clients and servers over the Internet. handshake.
  6. When ClearPass Policy Manager is used as the EST server, the default EST services are enabled with the SHA512 RSA Rivest, Shamir, Adleman. RSA is a cryptosystem for public-key encryption, and is widely used for securing sensitive data, particularly when being sent over an insecure network such as the Internet. signature which is unsupported on the AP. The RSA Rivest, Shamir, Adleman. RSA is a cryptosystem for public-key encryption, and is widely used for securing sensitive data, particularly when being sent over an insecure network such as the Internet. settings must be changed to either SHA256 or SHA384 in order to enroll EST on the Instant AP successfully.

Configuring an EST Profile

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure a new EST profile:

(Instant AP)(config)# est profile <profile_name>

(Instant AP)(EST Profile "profile_name")# arbitrary label <label>

(Instant AP)(EST Profile "profile_name")# arbitrary-label-enrollment <enroll label>

(Instant AP)(EST Profile "profile_name")# arbitrary-label-reenrollment <reenroll label>

(Instant AP)(EST Profile "profile_name")# challenge-password <password>

(Instant AP)(EST Profile "profile_name")# organizational-unit-name <unit_name>

(Instant AP)(EST Profile "profile_name")# password <passowrd>

(Instant AP)(EST Profile "profile_name")# server-host <server_hostname>

(Instant AP)(EST Profile "profile_name")# server-port <port>

(Instant AP)(EST Profile "profile_name")# username <username>

(Instant AP)(EST Profile "profile_name")# end

(Instant AP)# commit apply

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command activates an EST profile on the Instant AP:

(Instant AP)(config)# est-activate <profile_name>

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command is used to view the EST status on the Instant AP:

(Instant AP)# show est status

Support for Using EST Certificate with RADSEC

Aruba Instant allows EST certificates to be used in RADSEC applications under the following scenarios:

When all the above conditions are met, RADSEC will use EST enrolled client certificate and the CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificate chain downloaded from the EST server.