Online Help

Certificate Enrollment

Protocols for the simple enrollment of certificates increase the scalability of the enrollment for large-scale network environments with PKI (public key infrastructure). Besides the initial enrollment of the certificates, the regular renewal of the certificates is also supported. The client will send an automated request for the renewal of a certificate to a server with this, if the remaining lifetime of the certificate falls below a certain threshold. To increase security, this allows a significantly shorter lifetime of a certificate as it would be practicable with manual generation and enrollment.

All obtained certificates, keys and revocation lists are available for selection in the respective dropdown lists. The certificate enrollment instance that obtains the required certificate must be selected for this.

The EST (Enrollment over Secure Transport) protocol is supported for certificate enrollment at the moment.

If a certificate enrollment server is configured and the profile will be activated, the sequence will be as follows:

  • The client retrieves the CA certificate from the EST server
  • The client generates its own private key
  • The client generates a certificate signing request (CSR)
  • The client sends the certificate signing request in PKCS#10 format within the scope of an "Enrollment" to the EST server
  • If the EST server accepts the enrollment, it will then generate the client certificate and sign it with the CA
  • The client retrieves the certificate if this is the case
  • The client checks regularly the remaining lifetime of its certificate and sends within the scope of a "Reenrollment" a new CSR, if the remaining lifetime has fallen below a certain threshold (parameter Share of lifetime before automatic renewal)
In case the validity of the CA certificate is expiring, the CA certificate as well as the client certificate will be replaced within the scope of a "Rollover".

Client certificate and key, CA certificate and CRL will not be stored in the profile of the router and can therefore not be duplicated by downloading the binary profile and uploading it again to another router.

There is no way (such as web interface, CLI, ASCII configuration or binary configuration) to download the private key from the router!

The current condition of each EST instance is indicated in the web interface of the router in the Administration menu on the Certificate enrollment page under Status. The following conditions are possible:

  • Inactive
  • Not in running profile
  • Generating private key
  • Downloading CA certificate
  • Downloading client certificate
  • Client certificate exists
  • Generating CSR
  • Renewal of certificates
  • Downloading instance
  • Error: Configuration invalid

Back to overview