The SDKPac EST SDK provides portable EST Client operation implementing RFC7030 secure network protocol.
The Public Key Infrastructure (PKI) system for X.509 certificates is a cornerstone of digital identity, chain of trust, root of trust, mutual authentication, and zero trust architectures, all crucial elements of internet security now and into the future.
The RFC7030 EST protocol was defined by key industry leaders and led by Cisco Systems, obsoleting security weaknesses and limitations of legacy protocols, to modernize certificate management message exchange, achieve scalable interoperability, and lower infrastructure operation costs. It is widely deployed and interoperable with SaaS certificate and key management services to provide device identity, trust, and device lifecycle management of certificates at scale.
Working with industry leading partners including Keyfactor EJBCA, the SDKPac EST client integrated solution provides scalable credentials to provision and authenticated IoT devices.
The Cypherbridge SDKPac product family implements X.509 PKIX based operations across all related protocols including TLS, VPN, EAP-TLS, and uLoadXL secure boot code sign and verify. The SDKPac Credentials Manager provides the in-device trust store to manage built-in and dynamically provisioned credentials for CA, server and device certificates and private key pairs. Using the EST client, production systems can deploy managed credential services that integrate with the device level SDKPac at lifecycle stages that start with pilot and production, manufacturing line provisioning, device on-boarding, and long term credential management.
Features
- TLS-based mutual authentication between digital client, EST server and TA
- Authentication of EST TA identity using embedded root certificates and stapling
- Out-of-box IoT device on-boarding and enrollment using a device activation certificate
- RFC 2986 PKCS #10 CSR, including device identity attribute extension
- RFC 2315 PKCS #7 Cryptographic Message Syntax
- TA server device identity verification and authorization
- TA server CSR signing and X.509 certificate issuance returned to the device