Configuring EST

To perform client certificate enrollments using EST protocol, the admin or a privileged user needs to first set up the EST server agent using the AppViewX portal. Upon successful set up of the EST server Agent through the portal, a URL will be generated. Clients can then use this URL to send enrollment requests to AppViewX via EST protocol.

The detailed steps for setting up the EST server agent are listed below:

  1. Go to Menu > KUBE+ > System Administration > Auto Enrollment > EST.
  2. Select Add or Configure Now.
  3. Configure the End Point Details details as follows:
    Prerequisites for entering the IP/FQDN field:
    • The "Cloud Connector Name" (in the Add Cloud connector page) must be the same as the FQDN name entered.
    • The CC should have the reachability to the Endpoint.
    • If entering the IP then ensure that a single cloud connector is used.
    The following table provides the field description for Agent Details section:
    Table 1. End Point Details - Field and Description Table
    Field Name Field Type Description Validation
    *Name Text

    A unique name (alphanumeric string) to identify the agent setting.

    Acceptable Characters: A-Z, a-z, 0-9, '.', '_', '-'

    		Name should not start with special characters.
    *FQDN/IP Text Enter the FQDN/IP address of the AppViewX cloud connector. Invalid FQDN/IP address (example: xxx.xxx.xxx.xxx)
    *Port Text HTTP gateway port of the AppViewX node. Port will accept only numerical values between 0 to 65535.
    NOTE: Fields with * (asterisk) are mandatory.
  4. Configure the Client Authentication details as follows:

    Client Authentication = Only Certificate TLS

    Client Authentication = Certificate TLS with HTTPs as fallback or Both Certificate TLS and HTTPs

    The following table provides the field description for CA Authentication section:

    Table 2. Details for CA Authentication- Field and Description Table
    Field Name Field Type Description Validation
    Authentication Mode Dropdown

    Select any one authentication method to be carried out during communication with clients.

    • Only Certificate TLS - During client authentication, only certificate TLS based authentication will be performed.
    • Certificate TLS with HTTPS fallback - During client authentication, when the certificate TLS fails, HTTPs based authentication will be performed as fallback.
    • Both Certificate TLS and HTTPs - During client authentication, both certificate TLS and HTTPs authentication will be performed one after the successful completion of the other.
    		 NA
    *Issuer Certificate Dropdown

    Select one or more issuer certificates which needs to be checked for the client certificate authentication.

    		 NA
    *HTTP Authentication Mode Radio button

    Select the type of HTTP auth mode either Basic/Digest.

    • Basic - During Client authentication only the username and password values will be considered for HTTPs based authentication.
    • Digest - During Client authentication, along with username and password, nonce and realm values will also be supported.
    		 NA
    *Fallback Credentials Radio button

    Select Manual/Logged on user credentials - based on the selection users can configure the credentials manually or save as credentials equivalent to the logged in user.

    • Manual - The Username and Password fields will be displayed to enter values.
    • Logged on user credentials - The Username and Password fields will not be displayed.
    *Username Text Username for HTTP authentication. NA
    *Password Text Password for HTTP authentication. NA
    NOTE: Fields with * (asterisk) are mandatory.
  5. Configure the CA Accounts details as follows:

    The following table provides the field description for CA Accounts section:

    Table 3. CA Accounts - Field and Description Table
    Field Name Field Type Description Validation
    *Certificate Group Dropdown

    Select a specific group under which certificate needs to be enrolled.

    		 NA
    *Certificate Category Radio button

    Select a specific certificate type (Server/Client) to be enrolled.

    		 NA
    *Select CA Dropdown

    Select the required CA from the available options. The certificate will be enrolled under the selected CA.

    The CAs associated with the Default certificate group are:
    • AppViewX
    • AppViewX PKIaaS
    • Amazon Private CA
    • DigiCert
    • DigiCert MPKI
    • Ejbca
    • Entrust
    • Entrust MPKI
    • GlobalSign Atlas
    • GlobalSign MSSL
    • Google
    • HydrantID
    • Microsoft Enterprise
    • Microsoft Standalone
    • Nexus
    Note: The Vendor Specific Details and Custom Attributes section are displayed for some of the CAs as follows:
    • DigiCert
    • EJBCA
    • Entrust
    • Entrust MPKI
    • GlobalSign MSSL
    • MS Enterprise
    • Nexus
    		 NA
    NOTE: Fields with * (asterisk) are mandatory.
    When AppViewX is selected as CA,The following table provides the field description for AppViewX CA:
    Table 4. Details for AppViewX CA - Field and Description Table
    Field Name Field Type Description Validation
    *CA Account Select Select a specific CA Account from the selected CA which is to be used for certificate creation operations. NA
    *Server Certificate Select Type 3 or more letters of the certificate keywords after which a list of server certificates issued from the above selected CA account will be displayed, one certificate can be selected for further communications with SCEP client machine. NA
    *CA Connector Name Text Name of the CA connector after certificate is being enrolled. NA
    *Certificate Validity Text Validity of the certificate to be enrolled. Certificate validity accepts only numerical values
    NOTE: Fields with * (asterisk) are mandatory.
    When AppViewX PKIaaS is selected as CA. The following table provides the field description for AppViewX PKIaaS CA:
    Table 5. Details for AppViewXPKIaaS CA - Field and Description Table
    Field Name Field Type Description Validation
    *CA Account Dropdown Select a specific CA Account from the selected CA which is to be used for certificate creation operations. NA
    *Issuer Location Dropdown Select an issuer location that is associated with the CA account. NA
    *Pool Name Dropdown Select a pool name to issue the certificate. NA
    *Issuer Name Dropdown Select an issuer name to issue the certificate. NA
    *CA Certificate Dropdown Select the specific issuer certificate, that will be used for signing CSR by the certificate authority. Certs available in the root or intermediate cert inventory are displayed. NA
    *CA Connector Name Text Name of the CA connector after certificate is being enrolled. NA
    *Certificate Validity Text Validity of the certificate to be enrolled. Certificate validity accepts only numerical values.
    When Amazon Private CA is selected as CA. The following table provides the field description for Amazon Private CA:
    Table 6. Details for Amazon Private CA - Field and Description Table
    Field Name Field Type Description Validation
    *CA Account Dropdown Select a specific CA Account from the selected CA which is to be used for certificate creation operations. NA
    *Region Dropdown Select a valid region associated with the CA account.

    The dropdown is populated with the first available value. Select an appropriate value as required.

    		 NA
    *Issuer Dropdown Select a valid issuer associated with the CA account.

    The dropdown is populated with the first available value. Select an appropriate value as required.

    		 NA
    *Signature Algorithm Dropdown Select a valid issuer associated with the CA account.

    The dropdown is populated with the first available value from the group's associated policy. Select an appropriate value as required.

    		 NA
    *CA Certificate Text Select the specific issuer certificate, that will be used for signing CSR by the certificate authority. Certs available in the root or intermediate cert inventory are displayed. NA
    *CA Connector Name Text Name of the CA connector after the certificate is enrolled. NA
    *Certificate Validity Dropdown Validity of the certificate to be enrolled. (in years) Certificate validity accepts only numerical values.
    NOTE: Fields with * (asterisk) are mandatory.
    When DigiCert CA is selected as CA. The following table provides the field description for DigiCert CA:
    Table 7. Details for DigiCert CA - Field and Description Table
    Field Name Field Type Description Validation
    *CA Account Dropdown Select a specific CA Account from the selected CA which is to be used for certificate creation operations. NA
    *Division Dropdown

    Select a division associated with the CA account.

    The dropdown is populated with the first available value. Select an appropriate value as required.

    		 NA
    *Certificate Type Dropdown

    Select a valid cert type associated with the CA account.

    The dropdown is populated with the first available value. Select an appropriate value as required.

    		 NA
    *CA Certificate Text Select the specific issuer certificate, that will be used for signing CSR by the certificate authority. Certs available in the root or intermediate cert inventory are displayed. NA
    *CA Connector Name Text Name of the CA connector after the certificate is enrolled. NA
    *Certificate Validity Dropdown Validity of the certificate to be enrolled. (in days/months/years) Certificate validity accepts only numerical values.
    NOTE: Fields with * (asterisk) are mandatory.
    If the Select CA =DigiCert, then a separate section Vendor Specific Details is displayed after the CA Accounts section with two fields described below.
    Table 8. Vendor Specific Details for DigiCert CA - Field and Description Table
    Field Name Field Type Description Validation
    *Server Type Dropdown Select a server type.

    The dropdown is populated with the first available value. Select an appropriate value as required.

    		 NA
    *Payment Method Dropdown Select a payment method. The possible options are:

    1. Bill To Account Balance - Pay with the account balance. Returns an error if this option is disabled for the account or if the account has an insufficient fund.

    2. Bill To Default Credit Card - Pay with the account's default credit card. Returns an error if no default credit card is configured for the account

    		 Alphanumeric characters, spaces, and the special characters -_.* are allowed.
    NOTE: Fields with * (asterisk) are mandatory.

    When DigiCert MPKI is selected as CA. The following table provides the field description for DigiCert MPKI:

    Table 9. Details for DigiCert MPKI CA - Field and Description Table
    Field Name Field Type Description Validation
    *CA Account Dropdown Select a specific CA Account from the selected CA which is to be used for certificate creation operations. NA
    *Profiles Dropdown Select a profile from the dropdown option. NA
    *CA Certificate Text Select the specific issuer certificate, that will be used for signing CSR by the certificate authority. Certs available in the root or intermediate cert inventory are displayed. NA
    *CA Connector Name Text Name of the CA connector after the certificate is enrolled. NA
    NOTE: Fields with * (asterisk) are mandatory.
    Note: Email address is a mandatory field on the enrollment form for DigiCert MPKI, but while passing it in the CSR, it is not added in certificate subject DN. Therefore, to successfully renew DigiCert MPKI certificates using EST Fetch Certificate Parameters in EST Advanced Settings should be set to YES.

    The Custom Attributes section is displayed on selecting the specific values from the Profile dropdown:

    Table 10. Custom Attributes for DigiCert MPKI CA - Field and Description Table
    Field Name Field Type Mandatory Description Validation
    *common_name Text Yes This field will be auto-populated from the CSR. NA
    *dnsName Text Yes Enter a valid DNS name. NA
    NOTE: Fields with * (asterisk) are mandatory.
    Note: Based on the DigiCert MPKI account configuration Custom Attributes section may also be displayed on the endpoint configuration page.
    When Ejbca is selected as CA. The following table provides the field description for Ejbca CA:
    Table 11. Details for Ejbca CA - Field and Description Table
    Field Name Field Type Description Validation
    *CA Account Dropdown Select a specific CA Account from the selected CA which is to be used for certificate creation operations. NA
    *CA Certificate Dropdown Select the specific issuer certificate, that will be used for signing CSR by the certificate authority. Certs available in the root or intermediate cert inventory are displayed. NA
    *CA Connector Name Dropdown Name of the CA connector after certificate is being enrolled. NA
    *Certificate Validity Text Validity of the certificate to be enrolled. Certificate validity accepts only numerical values.
    NOTE: Fields with * (asterisk) are mandatory.
    If the selected CA is Ejbca, a separate section Vendor specific details is displayed after the CA Accounts section. The following table provides the field description for Vendor specific details:
    Table 12. Vendor Specific Details for Ejbca CA - Field and Description Table
    Field Name Field Type Description Validation
    *End Entity Profile Name Dropdown Select a profile of an end entity. NA
    End entity user name Text Enter the user name for the end entity. Alphanumeric characters, spaces, and the special characters -_.* are allowed.
    *Issuer Common Name Dropdown Select a common name of an issuer. NA
    *Certificate Profile Name Dropdown Select a profile name of certificate. NA
    NOTE: Fields with * (asterisk) are mandatory.
    When Entrust is selected as CA. The following table provides the field description for Entrust CA:
    Table 13. Details for Entrust CA - Field and Description Table
    Field Name Field Type Description Validation
    *CA Account Dropdown Select a specific CA Account from the selected CA which is to be used for certificate creation operations. NA
    *Certificate Type Dropdown Select a valid cert type associated with the CA account.
    • If the Certificate Category radio button is selected to Server, the dropdown is populated with the first available value. Select an appropriate value as required.
    • If the Certificate Category radio button is selected to Client, the dropdown is populated with ‘None’ as the default value.
    		 NA
    *CA Certificate Text Select the specific issuer certificate, that will be used for signing CSR by the certificate authority. Certs available in the root or intermediate cert inventory are displayed. NA
    *CA Connector Name Text Name of the CA connector after the certificate is enrolled. NA
    *Certificate Validity Dropdown Validity of the certificate to be enrolled. (in days/months/years) Certificate validity accepts only numerical values.
    • If the selected CA is Entrust, a separate section displaying Vendor specific details and Custom Attributes is displayed after the CA Accounts section.
      Note: Based on the Entrust ECS account configuration Custom Attributes section may also be displayed as shown above.
      Table 14. Vendor Specific Details for Entrust CA - Field and Description Table
      Field Name Field Type Description Validation
      Additional Emails Text Enter the valid email address in the field. NA
      Requester Name Text Enter the requester name NA
      Requester Email Text Enter a valid email id. NA
      Requester Phone Text Enter the 10-digit phone number. NA
    When Entrust MPKI is selected as CA. The following table provides the field description for Entrust MPKI CA:
    Table 15. Details for Entrust MPKI CA - Field and Description Table
    Field Name Field Type Description Validation
    *CA Account Dropdown Select a specific CA Account from the selected CA which is to be used for certificate creation operations. NA
    *CA Certificate Dropdown Select the specific issuer certificate, that will be used for signing CSR by the certificate authority. Certs available in the root or intermediate cert inventory are displayed. NA
    *CA Connector Name Text Name of the CA connector after certificate is being enrolled. NA
    NOTE: Fields with * (asterisk) are mandatory.

    When GlobalSign Atlas is selected as CA

    The following table provides the field description for GlobalSign Atlas CA:
    Table 16. Details for GlobalSign Atlas CA - Field and Description Table
    Field Name Field Type Description Validation
    *Select CA Dropdown Select a specific CA Account from the selected CA which is to be used for certificate creation operations. NA
    API Credential Friendly name Dropdown Select a CA Account to communicate with during the certificate enrollment actions. NA
    Certificate Profile Dropdown Select the certificate Profile from the dropdown. NA
    *CA Certificate Dropdown Select the specific issuer certificate, that will be used for signing CSR by the certificate authority. Certs available in the root or intermediate cert inventory are displayed. NA
    *CA Connector Name Select Name of the CA connector after the certificate is enrolled. NA
    *Certificate Validity Dropdown Validity of the certificate to be enrolled. (in days/months/years) Certificate validity accepts only numerical values.
    NOTE: Fields with * (asterisk) are mandatory.

    A Generic Fields section is also displayed below the CA Accounts section. It contains the fields related to the CSR parameters based on the profile (API Credential Friendly name) selected. Only the Organization field is mandatory and is fetched from the selected profile. Rest of the fields are optional.

    • When GlobalSignMSSL is selected as CA,

      The following table provides the field description for GlobalSignMSSL CA:
      Table 17. Details for GlobalSign MSSL CA - Field and Description Table
      Field Name Field Type Description Validation
      *CA Account Dropdown Select a specific CA Account from the selected CA which is to be used for certificate creation operations. NA
      *Product Type Dropdown Select the specific Product Type.

      The values are fetched from the CA Settings configuration.

      		 NA
      *CA Certificate Select Select the specific issuer certificate, that will be used for signing CSR by the certificate authority. Certs available in the root or intermediate cert inventory are displayed. NA
      *CA Connector Name Select Name of the CA connector after the certificate is enrolled. NA
      *Certificate Validity Dropdown Validity of the certificate to be enrolled. (in days/months/years) Certificate validity accepts only numerical values.
      NOTE: Fields with * (asterisk) are mandatory.
      The following field is displayed in the Vendor Specific Details section as per the selected CA:
      Table 18. Vendor Specific Details for GlobalSign MSSL CA - Field Description Table
      Field Name Field Type Description Validation
      *Profile name Dropdown Select the Profile based on the configurations made in the Certificate Authority Setting. NA
      The following field is displayed in the Point of Contact section as per the selected CA. The CA mandates the point of contact information for traceability. All auto-enrollment requests via this endpoint will be registered with the point of contact information entered here.
      Table 19. POC Details for GlobalSign MSSL CA - Field and Description Table
      Field Name Field Type Description Validation
      *First Name Text Enter the first name NA
      *Email Address Text Enter the valid email address NA
      *Phone Number Text Enter the valid phone number NA
    When Google is selected as CA. The following table provides the field description for Google CA:
    Table 20. Details for Google CA - Field and Description Table
    Field Name Field Type Description Validation
    *CA Account Dropdown Select a specific CA Account from the selected CA which is to be used for certificate creation operations. NA
    *Certificate Profile Dropdown Select the certificate profile type. NA
    *Issuer Location Dropdown Select an issuer location that is associated with the CA account. NA
    *Pool Name Dropdown Select a pool name to issue the certificate. NA
    *Issuer Name Dropdown Select an issuer name to issue the certificate. NA
    *CA Certificate Dropdown Select the specific issuer certificate, that will be used for signing CSR by the certificate authority. Certs available in the root or intermediate cert inventory are displayed. NA
    *CA Connector Name Text Name of the CA connector after certificate is being enrolled. NA
    *Certificate Validity Text Validity of the certificate to be enrolled. Certificate validity accepts only numerical values.
    NOTE: Fields with * (asterisk) are mandatory.
    When HydrantID is selected as CA. The following table provides the field description for HydrantID CA:
    Table 21. Details for HydrantID CA - Field and Description Table
    Field Name Field Type Description Validation
    *CA Account Dropdown Select a specific CA Account from the selected CA which is to be used for certificate creation operations. NA
    *HydrantID Policy Dropdown Select the policy associated with the CA Account to be used for certificate operations. NA
    *CA Certificate Dropdown Select the specific issuer certificate, that will be used for signing CSR by the certificate authority. Certs available in the root or intermediate cert inventory are displayed. NA
    *CA Connector Name Text Name of the CA connector after certificate is being enrolled. NA
    *Certificate Validity Text Validity of the certificate to be enrolled. Certificate validity accepts only numerical values.
    NOTE: Fields with * (asterisk) are mandatory.
    When Microsoft Enterprise is selected as CA. The following table provides the field description for Microsoft Enterprise CA:
    Table 22. Details for Microsoft Enterprise CA - Field and Description Table
    Field Name Field Type Description Validation
    *CA Account Dropdown Select a specific CA Account from the selected CA which is to be used for certificate creation operations. NA
    *CA Certificate Dropdown Select the specific issuer certificate, that will be used for signing CSR by the certificate authority. Certs available in the root or intermediate cert inventory are displayed. NA
    *CA Connector Name Text

    Name of the CA connector after certificate is being enrolled.

    		NA
    *Certificate Validity Text

    Validity of the certificate to be enrolled.

    		 Certificate validity accepts only numerical values.
    NOTE: Fields with * (asterisk) are mandatory.

    • If the selected CA is Microsoft Enterprise, a separate section Vendor specific details is displayed with a Template Name dropdown after the CA Accounts section.

    When Microsoft Standalone is selected as CA. The following table provides the field description for Microsoft Standalone CA:
    Table 23. Details for Microsoft Standalone CA - Field an Description Table
    Field Name Field Type Description Validation
    *CA Account

    Dropdown

    Select a specific CA Account from the selected CA which is to be used for certificate creation operations.

    NA
    *CA Certificate

    Dropdown

    		 Select the specific issuer certificate, that will be used for signing CSR by the certificate authority. Certs available in the root or intermediate cert inventory are displayed.

    NA
    *CA Connector Name

    Text

    Name of the CA connector after certificate is being enrolled.

    NA
    NOTE: Fields with * (asterisk) are mandatory.

    When Nexus is selected as CA,

    The following table provides the field description for Nexus CA:
    Table 24. Details for Nexus CA - Field and Description Table
    Field Name Field Type Description Validation
    *CA Account Dropdown Select a specific CA Account from the selected CA which is to be used for certificate creation operations. NA
    *CA Certificate Select Select the specific issuer certificate, that will be used for signing CSR by the certificate authority. Certs available in the root or intermediate cert inventory are displayed. NA
    *CA Connector Name Select Name of the CA connector after the certificate is enrolled. NA
    *Certificate Validity Select Validity of the certificate to be enrolled. (in days/months/years) Certificate validity accepts only numerical values.
    The following field is displayed in the Vendor Specific Details section as per the selected CA:
    Table 25. Details for Nexus CA - Field and Description Table
    Field Name Field Type Description Validation
    *Procedure Dropdown Select the Procedure based on the configurations made in the Certificate Authority Setting. NA
  6. Configure the Advanced Settings details as follows:
    The following table provides the field description for Advanced Settings:
    Table 26. Advanced Setting - Field and Description Table
    Field Name Field Type Description
    *Switch to Enroll Radio button

    Select Yes or No

    Selecting the radio button as Yes will convert the re-enrollment requests to enrollment requests
    *Fetch Certificate Parameters Radio button

    Select Yes or No

    Setting the radio button to Yes, will enable the system to automatically fetch certificate parameters from a Suggestive Policy, and append them to the client CSRs.
    *Include Truststore Certificates Radio button Select whether the issuer certificate needs to be sent to client machines after enrolment.
    *High Speed Transactions Radio button Based on the selection of this field, the endpoint will be configured with or without High Performance transaction times. Request information pertaining to High-Performance can be viewed on the Direct Requests page.
    *Return Existing Certificate Radio button

    If this option is enabled (Yes) then for request with AppViewX should check and return the existing valid certificate for the same CSR & public key from inventory if available otherwise it should proceed with enrollment and return the certificate.

    • If it is set to Yes, the Certificate Threshold field is displayed.

    If the option is disabled (No) then the AppViewX will do the default behavior of enrolling a new certificate for each request.
    Certificate Threshold Text (numeric)

    This field is enabled only if Return Existing Certificate = Yes.

    Enter the number of days in this field. This value is used to Initiate a new certificate request if the certificate is nearing the expiry date i.e., if existing certificate validity is less than the entered value.
    *Retry Count Text

    Values accepted between 5 - 99.

    Based on this value, the EST agent will trigger the number of calls to collect the certificate from AppViewX until it is received.
    *Retry Frequency Text

    Values accepted between 10 - 99.

    The value specified in this field determines the duration taken between the trigger calls by the EST agent.
    Note: Fields with * (asterisk) are mandatory.
  7. Click Save.