I’m having a look at Enrollment over Secure Transport (EST) as a way to get certificates for devices that are not supporting ACME, or at least not yet. The use case would be to get or at least renew a certificate for a device from a management system. As far as I understand, this would be possible with EST. Well, probably not getting a certificate but renewing one.
While I’m trying to understand the protocol, I’d like to ask around here in parallel if anyone is using EST with Ansible yet. I think you can do it someway more or less using the uri module only. But maybe there’s a better way, like a role or even a module implementing this. I only found this, which is 5 years old so I’m not sure if it’s really up to date or even still working.
Would be great to get some help there, or even some helpful information or suggestions
I’m not sure if this will also solve your use case,
but getting certificates is basically easy using community.crypto.openssl_csr and community.crypto.acme_certificate (Regardless of whether the device supports ACME or not).
We use them to create new Let’s Encrypt wildcard certificates weekly.
To get it done unattended, it’s also necessary to set the challenge as a TXT record in your DNS (with community.dns, community.aws …or whereever your domain is hosted).
Maybe I should give some additional information here.
We’re having a lot of physical servers, and we want to get certificates for the hardware (BMC). That’s supported using ACME, but only simple and plain HTTP challenge. Our internal PKI requires External Account Binding (EAB) for whatevers reasons. Our servers don’t implement this. And as far as I understand, EAB requires to POST some additional data. So you can’t encode this in the URL.
So I thought EST might be a solution.
I’ll have to ask around if our internal PKI also allows DNS challenge. If yes, and community.crypto.acme_certificate implements EAB, and we get permissions to create DNS entries this might also be a way.
There are a lot of “ands”, but thanks for giving me ideas @markuman!
