est
est copied to clipboard
Certificates required on reenrollment
During reenrollment it is required that the certificate used to authenticate, must be same as obtained during enrollment. Unfortunately it cannot work in a case when est server is communicating with client which is not using this cert directly.
E.g. when EST server is communicating with a registrar from this RFC: https://datatracker.ietf.org/doc/html/rfc9148#name-https-coaps-registrar In mentioned case Registrar cannot use certificate obtained during enrollment as it is EST client's certificate, and private key of this client is not available on Registrar.
It would be nice to disable such check by introducing some flag to config, so it could be turned off in that case.