scottk/estserver
1
0
Fork 0
mirror of https://github.com/outbackdingo/estserver.git synced 2026-03-21 22:41:57 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #5 from StealthyCoder/docs/update

Browse Source 
docs(README): Updated readme
This commit is contained in:
StealthyCoder
2022-10-15 01:43:23 +02:00
committed by GitHub
parent 17bd45c527 412d1ed08a
commit 6418d604c5
1 changed files with 22 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
README.md
View File

@@ -1,28 +1,33 @@
# EST Server
The project is an open source implementation of the Enrollment over Secure Transport
(EST) protocol as defined in [RFC 7030](https://www.rfc-editor.org/rfc/rfc7030.html).
(EST) protocol as defined in [RFC 7030](https://www.rfc-editor.org/rfc/rfc7030.html)
with added notes from [RFC 8951](https://www.rfc-editor.org/rfc/rfc8951) and
[RFC 8996](https://www.rfc-editor.org/rfc/rfc8996).
The primary use for this server is to allow Linux microPlatform devices to
renew their certificates after they've been deployed to production.
renew their certificates after they've been deployed to production.
## Key Features from RFC 7030
* 4.1 Distribution of CA Certificates `/cacerts`
* 4.2.1 Client certificate enrollement `/simpleenroll`
* 4.2.2 Client certificate renewal `/simplereenroll`
* 4.1 Distribution of CA Certificates `/cacerts`
* 4.2.1 Client certificate enrollement `/simpleenroll`
* 4.2.2 Client certificate renewal `/simplereenroll`
## Deviations from RFC 7030
As this project's primary aim is handling device certificate renewal, optional
features of the RFC have been omitted including:
* 4.3 - CMC
* 4.4 - Server side key generation
* 4.5 - CSR attributes
* 4.3 - CMC
* 4.4 - Server side key generation
* 4.5 - CSR attributes
## Contributing
Pull requests are welcome. Run `make check` to verify changes will pass CI.
## Building
The simple "standalone" server can be built with:
`make bin/estserver`
@@ -33,20 +38,22 @@ TLS certificates for the server can be generate by using the helper script
`contrib/mk-tls-keypair.sh`. Your factory's PKI directory was generated
with a `create_ca` script. Once a CA is created, you can upload/authorize
it with:
```
$ fioctl keys ca show --just-device-cas > /tmp/cas.pem
$ cat <new-ca.pem> >> /tmp/cas.pem
$ fioctl keys ca update /tmp/cas.pem
```bash
fioctl keys ca show --just-device-cas > /tmp/cas.pem
cat <new-ca.pem> >> /tmp/cas.pem
fioctl keys ca update /tmp/cas.pem
```
Then run the server with:
```
```bash
$ ./bin/estserver \
-root-cert <pkidir>/factory_ca.pem \
-tls-cert <pkidir>/local-tls.pem \
-tls-key <pkidir>/local-tls.key \
-ca-cert <pkidir>/local-ca.pem \
-ca-key <pkidir>/local-ca.key \
-ca-key <pkidir>/local-ca.key
```
TODO - point to fioconfig once implementation is merged
TODO - point to fioconfig once implementation is merged