Jester is an open source Java implementation of Enrollment over Secure Transport (RFC 7030). Jester aims to be 100% compatible with Cisco's libest implementation.
- Java 7/8
You can start the Jester server like so:
mvn clean install cd jester-sample-war mvn jetty:runYou should now have a functioning EST server at: https://localhost:8443/.well-known/est/.
You should be able to retrieve the CA certificates at https://localhost:8443/.well-known/est/cacerts and parse it with OpenSSL, like so:
curl --insecure --silent https://localhost:8443/.well-known/est/cacerts \ | base64 --decode -i \ | openssl pkcs7 -inform DER -print_certs -text -nooutThe above command will typically produce the following output:
Certificate: Data: Version: 1 (0x0) Serial Number: 1395086926 (0x5327564e) Signature Algorithm: sha512WithRSAEncryption Issuer: C=US, CN=Jester Validity Not Before: Mar 17 20:08:46 2014 GMT Not After : Mar 12 20:08:46 2034 GMT Subject: C=US, CN=Jester Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:a3:b3:2c:08:b6:ff:63:1e:07:ea:6b:79:9a:9c: c9:1d:70:85:33:d0:d5:b7:4d:b7:91:dc:58:b8:5c: bb:56:ce:4d:9c:5a:a1:ad:74:14:61:a9:9a:34:0b: cd:bc:37:ed:09:e2:f9:7c:e9:e8:85:ca:f7:35:36: d4:7f:43:5f:ac:3e:a6:0c:52:8e:9c:45:09:6e:36: ab:15:8b:ee:b5:c8:9d:86:bc:d7:1c:09:f2:86:40: 62:f3:49:7b:62:e4:45:de:c1:a6:5c:64:c3:2d:b4: 68:0a:57:fd:75:c1:b6:0c:ac:a1:0a:df:c0:68:0c: 8e:e6:83:a0:a3:c0:53:77:66:24:84:b6:06:80:c7: 6e:80:1f:8f:6e:a9:0c:5f:e2:eb:1a:68:e2:a7:9e: 2d:e3:21:bd:62:4a:2d:12:d7:a8:60:07:be:ba:2d: 94:6d:18:1a:da:ef:22:bd:70:50:11:f9:0b:af:e2: b4:54:6c:d5:48:b5:37:78:2d:37:20:64:bf:9e:31: 04:9d:30:b3:9e:d2:e9:21:07:96:47:e6:52:4d:d2: 44:2c:d1:77:52:54:72:2f:d0:7a:59:e0:17:8e:6b: 67:b3:2d:08:1a:e7:b1:73:33:d0:32:15:63:9f:1c: 83:d4:c9:0e:6b:bf:61:bc:9a:c7:d3:f4:4c:62:28: 41:71 Exponent: 65537 (0x10001) Signature Algorithm: sha512WithRSAEncryption 6c:5e:68:d1:60:77:ba:9d:6d:4b:55:59:0c:bf:20:97:b3:e4: e4:34:21:25:7e:03:1b:6a:e3:4d:8b:3a:07:72:90:da:39:1a: e7:41:ae:ce:96:08:87:27:27:21:e9:dd:7c:c4:1c:ae:2b:b0: ba:ba:b9:4e:20:87:e7:54:7d:cd:de:98:8b:38:3e:26:37:bd: d9:58:00:94:c7:5d:4b:73:97:93:01:c1:27:72:6b:7c:24:82: 58:39:38:c1:6f:aa:2d:1d:b1:f5:09:7f:81:b2:53:81:37:7f: 41:fe:d6:d3:53:ae:3a:01:a1:c8:64:3c:36:78:7a:63:18:33: a7:f5:e0:7b:e3:c4:2a:7a:89:e1:bd:01:49:fc:2a:2b:1f:9d: 87:8d:21:14:5c:1f:45:09:2f:af:ae:c4:02:1b:ed:4d:3e:a3: af:89:ce:ab:ae:e7:26:a2:aa:16:0c:80:f9:1d:9e:0f:cb:15: ae:c2:ea:69:ba:5b:49:d2:f5:f7:36:b4:6f:b1:1d:11:c0:71: ff:bf:ef:7b:a4:a3:6f:d1:24:79:71:3c:47:e4:9f:e5:d3:33: 3c:4a:0b:d9:2e:49:80:76:5d:aa:d8:39:f7:df:bd:71:f2:6f: ad:7c:71:d2:41:48:f2:13:80:69:19:18:85:c6:e1:0f:fe:84: 36:06:a2:cc Send a PKCS #10 certificate signing request to Jester, and read back the resulting PKCS #7 structure.
openssl req -inform PEM -outform DER -in src/main/resources/jester.p10 \ | base64 \ | curl --insecure --silent -d @- https://localhost:8443/.well-known/est/simpleenroll \ | base64 --decode -i \ | openssl pkcs7 -inform DER -print_certs -text -noout- Certificate Management over CMS (CMC)
- Certificate Management over CMS (CMC): Transport Protocols
- Certificate Management Messages over CMS (CMC): Compliance Requirements
- The Transport Layer Security (TLS) Protocol Version 1.1
- Hypertext Transfer Protocol -- HTTP/1.1
- Internet X.509 Public Key Infrastructure Certificate Management Protocol (CMP)
- HTTP Over TLS
- PKCS #10: Certification Request Syntax Version 1.5
- Using the Secure Remote Password (SRP) Protocol for TLS Authentication
- Uniform Resource Identifier (URI): Generic Syntax
- Suite B Profile of Certificate Management over CMS
- HTTP Authentication: Basic and Digest Access Authentication
- The application/pkcs10 Media Type
- §3.3.3 - Certificate-less TLS Mutual Authentication (No RFC 5054 in JSSE)
- §3.5 - Linking Identity and PoP information (No RFC 5929 in JSSE)