EST is a protocol for requesting X.509 certificates over HTTPS, the EST Client is the device requesting the certificate and the EST server listens for certificate requests at a well known path.
EST RFC: https://tools.ietf.org/html/rfc7030
An example EST server can be found here: http://testrfc7030.com/
- estClient - EST Client Python library for requesting certificates using the EST endpoint
- This a modified version of this library, with support for ECDSA key profiles added
- nmosEstClient - NMOS EST Client Python library, that abstracts the required NMOS specific functionality of EST defined in https://github.com/AMWA-TV/nmos-api-security
- nmos-est-workflow.py - Example of NMOS workflow, for getting Root CA, TLS Server Certificate and Renewing the Certificate
- Clone python EST client library
git clone [email protected]:bbc/rd-apmm-nmos-est.git --recursive
- Enable python virtual env
python3 -m venv env
source env/bin/activate
- Install dependencies
pip3 install -r requirements.txt
Run script
python3 nmos-est-workflow.py --ip localhost --port 8443
Deactivate virtual env
deactivate
In order to check the compliance of a EST Servers configuration an automated test script has been written.
The EST Server is test under normal operation for:
- The EST server correctly returns the latest Root CA
- The EST server correctly issues an RSA TLS server certificate
- Using the Manufacturer issued client certificate for authentication and authorisation
- The EST server correctly issues an RSA TLS server certificate
- Using the previously issued client certificate for authentication and authorisation
- The EST server correctly issues an ECDSA TLS server certificate
- Using the Manufacturer issued client certificate for authentication and authorisation
- The EST server correctly issues an ECDSA TLS server certificate
- Using the previously issued client certificate for authentication and authorisation
The EST Server is tested under incorrect operation for:
- The EST server does not issue an TLS certificate
- When the EST client presents a rogue manufacturer's signed client certificate
- The EST server does not issue a TLS certificate if a non permitted cipher suite is requested
In order to test the EST Server, configuration of both the EST Server and NMOS EST Client is required.
In the certs/
folder the following certificates need to be added:
cacert.pem
- The Root CA and chain of trust expected to be returned by the/cacerts
endpointvalid-manufacturer-cert.pem
- A manufacturer issued certificate that is trusted by the EST Servervalid-manufacturer-cert.key
- A manufacturer issued key for the certificate that is trusted by the EST Serverinvalid-manufacturer-cert.pem
- A manufacturer issued certificate that is NOT trusted by the EST Serverinvalid-manufacturer-cert.key
- A manufacturer issued key for the certificate that is NOT trusted by the EST Server
python3 testEstServer.py --ip localhost --port 8443
git submodule update --remote
See CHANGELOG.md
See CONTRIBUTING.md
See LICENSE.md