EST

This section refers to the EST protocol, as described by RFC 7030.

EST Profile

This section details how to configure the EST Profile

Prerequisites

PKI

How to configure EST Profile

1. Log in to Horizon Administration Interface.

2. Access EST Profile from the drawer or card: Protocol > EST.

3. Click on Add EST Profile.

4. Fill in the mandatory fields.

General

  • Name* (string input):
    Enter a meaningful profile name. It must be unique for each profile. Horizon use the name to identify the profile.

  • Enabled (boolean):
    Tells whether the profile is enabled or not. The default value is set to true.

  • PKI (select):
    Select a PKI Connector previously created.

  • Max certificates per holder (int):
    When specified, define the maximum number of active certificates for a given Holder.

Crypto Policy

  • Decentralized enrollment (boolean):
    Tells whether the profile should be used with a decentralized enrollment mode, i.e CSR (PKCS#10) signing by the PKI. The default value is set to true.

  • Centralized enrollment (boolean):
    Tells whether the profile should be used with a centralized enrollment, i.e providing a PKCS#12. The default value is set to false.

    • Private key escrowing (boolean):
      Tells whether the private key should be escrowed by Horizon. (only for Centralized enrollment) The default value is set to false.

    • Key type (select):
      Select the type of key to generate when using centralized enrollment mode.

    • Password policy for PKCS#12 password* (select):
      Select a password policy previously created.

    • Store encryption type (select):
      Select from the list the encryption type. The default value is set to DES_AVERAGE.

    • Show PKCS#12 Password On Recover (boolean):
      Tells whether the PKCS#12 password should be displayed on recover. Enabled when Private key escrowing is set to on. The default value is set to false.

    • Show PKCS#12 On Recover (boolean):
      Tells whether the PKCS#12 should be displayed on recover. Enabled when Private key escrowing is set to on. The default value is set to false.

Authorization and validation

  • Authorization mode (select):
    Select from the list.

  • Authorized:

    • Enabled whitelist (boolean):
      Tells whether whitelist is enabled or not. The default value is set to false.

    • CA* (select):
      Select a Certificate Authority previously created.

  • X509:

    • Enrollment CAs (select):
      Available only if mode at x509. Select a Certificate Authority previously created.

    • Enabled whitelist (boolean):
      Tells whether whitelist is enabled or not. The default value is set to false.

    • CA* (select):
      Select a Certificate Authority previously created.

  • Challenge:

    • Password policy (select):
      Select a password policy previously created. It is used for the challenge generation.

    • Enabled whitelist (boolean):
      Tells whether whitelist is enabled or not. The default value is set to false.

    • CA* (select):
      Select a Certificate Authority previously created.

Renewal management

  • Renewal period: (finite duration):
    Must be a valid finite duration.

  • Renewal CAs (select):
    Select a Certificate Authority previously created.

  • Revoke on renew (boolean):
    The previous certificate will be revoked on renew if true. The default value is set to false.

  • Revocation reason (select):
    Select the reason from the list. Available only if "revoke on renew" value is set to true.

Self Permissions

  • Revoke (boolean):
    Tells whether self revoke permission is granted or not. The default value is set to false.

  • Request Revoke (boolean):
    Tells whether self request revoke permission is granted or not. The default value is set to false.

  • Update (boolean):
    Tells whether self update permission is granted or not. The default value is set to false.

  • Request Update (boolean):
    Tells whether self request update permission is granted or not. The default value is set to false.

  • Recover (boolean):
    Tells whether self recover permission is granted or not. The default value is set to false.

  • Request recover (boolean):
    Tells whether self request recover permission is granted or not. The default value is set to false.

You can further configure the profile using the Common configuration profile and Notification tabs.

5. Click on the save button.

You can edit Edit EST Profile, duplicate Duplicate EST Profile or delete Delete EST Profile the EST Profile.

You won’t be able to delete a EST Profile if this one is referenced somewhere else.