EST Service Configuration¶
Overview¶
Enrollment over Secure Transport (EST) enables automated certificate enrollment for devices and services using the protocol defined in RFC 7030. An EST configuration in the LAAVAT Platform maps products and their associated Certificate Authorities to the EST service endpoint, allowing clients to request certificates through a standardized, secure interface.
The EST Configuration page in the GUI provides a streamlined workflow for selecting which products and CAs are exposed through the EST service. Changes made here directly affect which certificate enrollment operations are available to EST clients.
When to use EST
EST is the recommended approach for automated device certificate enrollment in production environments. It provides mutual TLS authentication, supports certificate renewal, and integrates with existing PKI infrastructure without requiring custom API integration.
Product Selection¶
The first step in configuring the EST service is selecting which products should have their Device CAs available through the EST endpoint.
Available Products¶
Only products that have Device CA operations are displayed in the product selection list. Specifically, a product must have the ISSUE_DEVICE_CERTIFICATE operation configured to appear as an available option. Products without this operation are not relevant to EST and are filtered out automatically.
Transfer List¶
The product selection uses a transfer list interface with two columns:
| Column | Description |
|---|---|
| Available Products | Products with Device CA operations that have not yet been selected for EST. |
| Selected Products | Products whose Device CAs will be accessible through the EST service endpoint. |
Use the transfer controls to move products between the two columns:
- Select one or more products from the Available list and click the right arrow to add them to the Selected list.
- Select one or more products from the Selected list and click the left arrow to remove them.
Impact of removing a product
Removing a product from the Selected list will make its Device CAs unavailable through the EST endpoint. Any EST clients relying on those CAs for certificate enrollment will no longer be able to obtain certificates until the product is re-added.
Filtering and Search¶
Both the Available and Selected columns support filtering by product name. Use the search field above each column to quickly locate a specific product in large lists.
CA Selection¶
After selecting one or more products, the next step is to choose which Certificate Authorities within those products should be accessible via EST for device certificate enrollment.
How CA Selection Works¶
Each selected product may contain multiple Certificate Authorities. The CA selection step allows you to fine-tune which specific CAs are exposed through the EST service. This provides granular control: you can include a product but only expose a subset of its CAs for EST enrollment.
| Field | Description |
|---|---|
| CA Name | The display name of the Certificate Authority. |
| Product | The product to which the CA belongs. |
| CA Type | The type of CA (e.g., Device CA). |
| Status | Whether the CA is currently enabled or disabled for EST. |
Enabling and Disabling CAs¶
Toggle individual CAs on or off to control their availability through the EST endpoint. Only enabled CAs will accept enrollment requests from EST clients.
Principle of least privilege
Only enable the CAs that are required for your EST use case. Limiting the number of exposed CAs reduces the attack surface and simplifies certificate management.
Saving the Configuration¶
After making your product and CA selections, click Save to apply the configuration. The changes take effect immediately and the EST endpoint will reflect the updated set of available CAs.
Validation
You must select at least one product and at least one CA before saving. The save button will remain disabled until a valid configuration is defined.
Troubleshooting¶
| Issue | Possible Cause | Resolution |
|---|---|---|
| No products appear in the Available list | No products have ISSUE_DEVICE_CERTIFICATE operations configured |
Add Device CA operations to the relevant products in the Products section |
| No CAs appear after selecting a product | The product's Device CAs have not been provisioned yet | Complete the PKI setup for the product before configuring EST |
| EST clients cannot enroll after saving | The selected CA may be disabled or the client may lack proper authentication | Verify the CA is enabled and that the EST client has valid credentials |