Configuring EST

To perform client certificate enrollments using EST protocol, the admin or a privileged user needs to first set up the EST server agent using the AppViewX portal. Upon successful set up of the EST server Agent through the portal, a URL will be generated. Clients can then use this URL to send enrollment requests to AppViewX via EST protocol.

The detailed steps for setting up the EST server agent are listed below:

  1. Log in to AppViewX application with admin or privileged user credentials.
  2. Click the menu button located in the upper left corner of the screen.
    The left navigation pane appears.
  3. Navigate to CERT+ > ADMINISTRATION > Auto Enrollment > EST.
  4. Select Add or Configure Now.
  5. Configure the End Point Details details as follows:
    Prerequsistes for entering the IP/FQDN field:
    • The "Cloud Connector Name" (in the Add Cloud connector page) must be the same as the FQDN name entered.
    • The CC should have the reachability to the Endpoint.
    • If entering the IP the ensure that single cloud connector is used.
    The following table provides the field description for Agent Details section:
    Field Name Field Type Mandatory Description Validation
    Name Text Yes Unique name to identify the Agent setting. No special characters other than ‘.’, ‘-’,’_’ are allowed. Name should not start with special characters.
    FQDN/IP Text Yes Enter the FQDN/IP address of the appviewx cloud connector. Invalid FQDN/IP address(example: xxx.xxx.xxx.xxx)
    Port Text Yes HTTP gateway port of the AppViewX node. Port will accept only numerical values between 0 to 65535.
  6. Configure the Client Authentication details as follows:
    Only Client Certificate Authentication Mode
    Client Certificate Authentication with HTTP Fallback Mode

    Both Client certificate and HTTP Authentication Mode

    The following table provides the field description for CA Authentication section:
    Field Name Field Type Mandatory Description Validation
    Authentication Mode Dropdown Yes Select any one authentication method to be carried out during communication with clients. NA

    Issuer Certificate

    		Dropdown Yes

    Select one or more issuer certificates which needs to be checked for the client certificate authentication.

    		 NA
    HTTP Authentication Mode Radio button Yes Select the type of HTTP auth mode either Basic/Digest. NA
    Username Text Yes Username for HTTP authentication. NA
    Password Text Yes Password for HTTP authentication. NA
  7. Configure the CA Accounts details as follows:
    The following table provides the field description for CA Accounts section:
    Field Name Field Type Mandatory Description Validation
    Certificate Group

    Dropdown

    Yes

    Select a specific group under which certificate needs to be enrolled.

    NA
    Certificate Category

    Radio button

    Yes

    Select a specific certificate type (Server/Client) to be enrolled.

    NA
    Select CA Dropdown

    Yes

    Select the required CA from the available options. The certificate will be enrolled under the selected CA.

    The CAs associated with the Default certificate group are:

    • AppViewX

    • Google

    • Ejbca

    • Microsoft Standalone

    • AppViewX PKIaaS

    • Microsoft Enterprise

    • Entrust MPKI

    • Entrust

    • DigiCert MPKI

    • DigiCert

    • Amazon Private CA

    • Nexus

    • GlobalSign MSSL

    Note: The Vendor Specific Details and Custom Attributes section are displayed for some of the CAs.

    NA
    The following fields are displayed as per the selected CA:
    • When AppViewX is selected as CA,The following table provides the field description for AppViewX CA:
      Field Name Field Type Mandatory Description Validation
      NA
      CA Account Select Yes Select a specific CA Account from the selected CA which is to be used for certificate creation operations. NA
      Server Certificate Select Yes Type 3 or more letters of the certificate keywords after which a list of server certificates issued from the above selected CA account will be displayed, one certificate can be selected for further communications with SCEP client machine. NA
      CA Connector Name Text Yes Name of the CA connector after certificate is being enrolled. NA
      Certificate Validity Text Yes Validity of the certificate to be enrolled. Certificate validity accepts only numerical values
    • When Google is selected as CA.The following table provides the field description for Google CA:
      Field Name Field Type Mandatory Description Validation
      CA Account

      Dropdown

      Yes

      Select a specific CA Account from the selected CA which is to be used for certificate creation operations.

      NA
      Issuer Location

      Dropdown

      		 Yes Select an issuer location that is associated with the CA account. NA
      Pool Name

      Dropdown

      		 Yes Select a pool name to issue the certificate. NA
      Issuer Name

      Dropdown

      		 Yes Select an issuer name to issue the certificate. NA
      CA Certificate

      Dropdown

      Yes

      Type 3 or more letters of the certificate keywords after which a list of server certificates issued from the above selected CA account will be displayed, one certificate can be selected for further communications with EST client machine.

      NA
      CA Connector Name

      Text

      Yes

      Name of the CA connector after certificate is being enrolled.

      NA
      Certificate Validity

      Text

      Yes

      Validity of the certificate to be enrolled.

      Certificate validity accepts only numerical values.
    • When Ejbca is selected as CA.The following table provides the field description for Ejbca CA:
      Field Name Field Type Mandatory Description Validation
      CA Account

      Dropdown

      Yes

      Select a specific CA Account from the selected CA which is to be used for certificate creation operations.

      NA
      CA Certificate

      Dropdown

      Yes

      Type 3 or more letters of the certificate keywords after which a list of server certificates issued from the above selected CA account will be displayed, one certificate can be selected for further communications with EST client machine.

      NA
      CA Connector Name

      Text

      Yes

      Name of the CA connector after certificate is being enrolled.

      NA
      Certificate Validity

      Text

      Yes

      Validity of the certificate to be enrolled.

      Certificate validity accepts only numerical values.
      If the selected CA is Ejbca, a separate section Vendor specific details is displayed after the CA Accounts section.The following table provides the field description for Vendor specific details:
      Field Name Field Type Mandatory Description Validation
      End Entity Profile Name Dropdown Yes Select a profile of an end entity. NA
      End entity user name Text No Enter the user name for the end entity. Alphanumeric characters, spaces, and the special characters -_.* are allowed.
      Issuer Common Name Dropdown Yes Select a common name of an issuer. NA
      Certificate Profile Name Dropdown Yes Select a profile name of certificate. NA
    • When Microsoft Standalone is selected as CA.The following table provides the field description for Microsoft Standalone CA:
      Field Name Field Type Mandatory Description Validation
      CA Account

      Dropdown

      Yes

      Select a specific CA Account from the selected CA which is to be used for certificate creation operations.

      NA
      CA Certificate

      Dropdown

      Yes

      Type 3 or more letters of the certificate keywords after which a list of server certificates issued from the above selected CA account will be displayed, one certificate can be selected for further communications with EST client machine.

      NA
      CA Connector Name

      Text

      Yes

      Name of the CA connector after certificate is being enrolled.

      NA
      Certificate Validity

      Text

      Yes

      Validity of the certificate to be enrolled.

      Certificate validity accepts only numerical values.
    • When AppViewX PKIaaS is selected as CA.The following table provides the field description for AppViewX PKIaaS CA:
      Field Name Field Type Mandatory Description Validation
      CA Account

      Dropdown

      Yes

      Select a specific CA Account from the selected CA which is to be used for certificate creation operations.

      NA
      Issuer Location

      Dropdown

      		 Yes Select an issuer location that is associated with the CA account. NA
      Pool Name

      Dropdown

      		 Yes Select a pool name to issue the certificate. NA
      Issuer Name

      Dropdown

      		 Yes Select an issuer name to issue the certificate. NA
      CA Certificate

      Dropdown

      Yes

      Type 3 or more letters of the certificate keywords after which a list of server certificates issued from the above selected CA account will be displayed, one certificate can be selected for further communications with EST client machine.

      NA
      CA Connector Name

      Text

      Yes

      Name of the CA connector after certificate is being enrolled.

      NA
      Certificate Validity

      Text

      Yes

      Validity of the certificate to be enrolled.

      Certificate validity accepts only numerical values.
    • When Microsoft Enterprise is selected as CA.The following table provides the field description for Microsoft Enterprise CA:
      Field Name Field Type Mandatory Description Validation
      CA Account

      Dropdown

      Yes

      Select a specific CA Account from the selected CA which is to be used for certificate creation operations.

      NA
      CA Certificate

      Dropdown

      Yes

      Type 3 or more letters of the certificate keywords after which a list of server certificates issued from the above selected CA account will be displayed, one certificate can be selected for further communications with EST client machine.

      NA
      CA Connector Name

      Text

      Yes

      Name of the CA connector after certificate is being enrolled.

      NA
      Certificate Validity

      Text

      Yes

      Validity of the certificate to be enrolled.

      Certificate validity accepts only numerical values.
      • If the selected CA is Microsoft Enterprise, a separate section Vendor specific details is displayed after the CA Accounts section.Select a template from the dropdown list.
    • When Entrust MPKI is selected as CA.The following table provides the field description for Entrust MPKI CA:
      Field Name Field Type Mandatory Description Validation
      CA Account

      Dropdown

      Yes

      Select a specific CA Account from the selected CA which is to be used for certificate creation operations.

      NA
      CA Certificate

      Dropdown

      Yes

      Type 3 or more letters of the certificate keywords after which a list of server certificates issued from the above selected CA account will be displayed, one certificate can be selected for further communications with EST client machine.

      NA
      CA Connector Name

      Text

      Yes

      Name of the CA connector after certificate is being enrolled.

      NA
      Certificate Validity

      Text

      Yes

      Validity of the certificate to be enrolled.

      Certificate validity accepts only numerical values.
    • When Amazon Private CA is selected as CA.
      The following table provides the field description for Amazon Private CA:
      Field Name Field Type Mandatory Description Validation
      CA Account Dropdown Yes Select a specific CA Account from the selected CA which is to be used for certificate creation operations. NA
      Region Dropdown Yes

      Select a valid region associated with the CA account.

      The dropdown is populated with the first available value. Select an appropriate value as required.

      		 NA
      Issuer Dropdown Yes

      Select a valid issuer associated with the CA account.

      The dropdown is populated with the first available value. Select an appropriate value as required.

      		 NA
      Signature Algorithm Dropdown Yes

      Select a valid issuer associated with the CA account.

      The dropdown is populated with the first available value from the group's associated policy. Select an appropriate value as required.

      		 NA
      CA Certificate Text Yes Type 3 or more letters of the certificate keywords after which a list of server certificates issued from the above selected CA account will be displayed, one certificate can be selected for further communications with EST client machine. NA
      CA Connector Name Text Yes Name of the CA connector after the certificate is enrolled. NA
      Certificate Validity Dropdown Yes Validity of the certificate to be enrolled. (in years) Certificate validity accepts only numerical values.
    • When DigiCert CA is selected as CA.
      The following table provides the field description for DigiCert CA:
      Field Name Field Type Mandatory Description Validation
      CA Account Dropdown Yes Select a specific CA Account from the selected CA which is to be used for certificate creation operations. NA
      Division Dropdown Yes

      Select a division associated with the CA account.

      The dropdown is populated with the first available value. Select an appropriate value as required.

      		 NA
      Certificate Type Dropdown Yes

      Select a valid cert type associated with the CA account.

      The dropdown is populated with the first available value. Select an appropriate value as required.

      		 NA
      CA Certificate Text Yes Type 3 or more letters of the certificate keywords after which a list of server certificates issued from the above selected CA account will be displayed, one certificate can be selected for further communications with EST client machine. NA
      CA Connector Name Text Yes Name of the CA connector after the certificate is enrolled. NA
      Certificate Validity Dropdown Yes Validity of the certificate to be enrolled. (in days/months/years) Certificate validity accepts only numerical values.
      • If the Select CA =DigiCert, and the Certificate type = Server, a separate section Vendor Specific Details is displayed after the CA Accounts section with two fields.
        If the Select CA =DigiCert, and the Certificate type = Client, a separate section Vendor Specific Details is displayed after the CA Accounts section with one field.
        Field Name Field Type Mandatory Description Validation
        Server Type Dropdown Yes

        Select a server type.

        The dropdown is populated with the first available value. Select an appropriate value as required.

        		 NA
        Payment Method Dropdown Yes

        Select a payment method. The possible options are:

        1. Bill To Account Balance - Pay with the account balance. Returns an error if this option is disabled for the account or if the account has an insufficient fund.

        2. Bill To Default Credit Card - Pay with the account's default credit card. Returns an error if no default credit card is configured for the account

        		 Alphanumeric characters, spaces, and the special characters -_.* are allowed.
    • When Entrust is selected as CA.
      The following table provides the field description for Entrust CA:
      Field Name Field Type Mandatory Description Validation
      CA Account Dropdown Yes Select a specific CA Account from the selected CA which is to be used for certificate creation operations. NA
      Certificate Type Dropdown Yes

      Select a valid cert type associated with the CA account.

      • If the Certificate Category radiobutton is selected to Server, the dropdown is populated with the first available value. Select an appropriate value as required.
      • If the Certificate Category radiobutton is selected to Client, the dropdown is populated with ‘None’ as the default value.

      		 NA
      CA Certificate Text Yes Type 3 or more letters of the certificate keywords after which a list of server certificates issued from the above selected CA account will be displayed, one certificate can be selected for further communications with EST client machine. NA
      CA Connector Name Text Yes Name of the CA connector after the certificate is enrolled. NA
      Certificate Validity Dropdown Yes Validity of the certificate to be enrolled. (in days/months/years) Certificate validity accepts only numerical values.
      • If the selected CA is Entrust, a separate section displaying Vendor specific details and Custom Attributes is displayed after the CA Accounts section.
        Note: Based on the Entrust ECS account configuration Custom Attributes section may also be displayed as shown above.
        Field Name Field Type Mandatory Description Validation
        Additional Emails Text No Enter the valid email address in the field. NA
        Demo Text No Enter the demo details NA
        Certificate type Text No Enter a valid certificate type NA
        Tracking id Text No Enter the tracking id NA
    • When DigiCert MPKI is selected as CA.
      The following table provides the field description for DigiCert MPKI:
      Field Name Field Type Mandatory Description Validation
      CA Account Dropdown Yes Select a specific CA Account from the selected CA which is to be used for certificate creation operations. NA
      Profiles Dropdown Yes Select a profile from the dropdown option. NA
      CA Certificate Text Yes

      Type 3 or more letters of the certificate keywords and select one issuer certificate from the dropdown. This issuer certificate will be used for signing the CSR by the certificate authority.

      NOTE: Only the issuer certificates available in the root or intermediate certificates inventory will be shown for selection.

      		 NA
      CA Connector Name Text Yes Name of the CA connector after the certificate is enrolled. NA
      Note: Email address is a mandatory field on the enrollment form for DigiCert MPKI, but while passing it in the CSR, it does not get added in certificate subject DN. Therefore, to successfully renew Digicert MPKI certificates using EST Fetch Certificate Parameters in EST Advanced Settings should be set to YES.
      The Custom Attributes section is displayed on selecting the specific values from the Profile dropdown:
      Field Name Field Type Mandatory Description Validation
      common_name Text Yes This field will be auto-populated from the CSR. NA
      dnsName Text Yes Enter a valid DNS name. NA
      Note: Based on the DigiCert MPKI account configuration Custom Attributes section may also be displayed on the endpoint configuration page.
    • When Nexus is selected as CA,
      The following table provides the field description for Nexus CA:
      Field Name Field Type Mandatory Description Validation
      CA Account Select Yes Select a specific CA Account from the selected CA which is to be used for certificate creation operations. NA
      CA Certificate Select Yes

      Type 3 or more letters of the certificate keywords and select one issuer certificate from the dropdown. This issuer certificate will be used for signing the CSR by the certificate authority.

      NOTE: Only the issuer certificates available in the root or intermediate certificates inventory will be shown for selection.

      		 NA
      CA Connector Name Select Yes Name of the CA connector after the certificate is enrolled. NA
      Certificate Validity Select Yes Validity of the certificate to be enrolled. (in days/months/years) Certificate validity accepts only numerical values.
      The following field is displayed in the Vendor Specific Details section as per the selected CA:
      Field Name Field Type Mandatory Description Validation
      Procedure Dropdown Yes Select the Procedure based on the configurations made in the Certificate Authority Setting. NA
    • When GlobalSignMSSL is selected as CA,
      The following table provides the field description for GlobalSignMSSL CA:
      Field Name Field Type Mandatory Description Validation
      CA Account Dropdown Yes Select a specific CA Account from the selected CA which is to be used for certificate creation operations. NA
      Product Type Dropdown Yes

      Select the specific Product Type.

      The values are fetched from the CA Settings configuration.

      		 NA
      CA Certificate Select Yes

      Type 3 or more letters of the certificate keywords and select one issuer certificate from the dropdown. This issuer certificate will be used for signing the CSR by the certificate authority.

      NOTE: Only the issuer certificates available in the root or intermediate certificates inventory will be shown for selection

      		 NA
      CA Connector Name Select Yes Name of the CA connector after the certificate is enrolled. NA
      Certificate Validity Dropdown Yes Validity of the certificate to be enrolled. (in days/months/years) Certificate validity accepts only numerical values.
      The following field is displayed in the Vendor Specific Details section as per the selected CA:
      Field Name Field Type Mandatory Description Validation
      Profile name Dropdown Yes Select the Profile based on the configurations made in the Certificate Authority Setting. NA
      The following field is displayed in the Point of Contact section as per the selected CA. The CA mandates the point of contact information for traceability. All auto-enrollment requests via this endpoint will be registered with the point of contact information entered here.
      Field Name Field Type Mandatory Description Validation
      First Name Text Yes Enter the first name NA
      Email Address Text Yes Enter the valid email address NA
      Phone Number Text Yes Enter the valid phone number NA
  8. Configure the Advanced Settings details as follows:
    The following table provides the field description for Advanced Settings:
    Field Name Field Type Mandatory Description Validation
    *Switch to Enroll Radio button Yes

    Select Yes or No

    Selecting the radio button as Yes will convert the re-enrollment requests to enrollment requests
    *Fetch Certificate Parameters Radio button Yes

    Select Yes or No

    Setting the radio button to Yes, will enable the system to automatically fetch certificate parameters from a Suggestive Policy, and append them to the client CSRs.
    *Include Truststore Certificates Radio button Yes Select whether the issuer certificate needs to be sent to client machines after enrolment.
    *Retry Count Text Yes

    Values accepted between 5 - 99.

    Based on this value, the EST agent will trigger the number of calls to collect the certificate from AppViewX until it is received.
    *Retry Frequency Text Yes

    Values accepted between 10 - 99.

    The value specified in this field determines the duration taken between the trigger calls by the EST agent.
  9. Click Save.