Skip to content

Est subsystem deplyment change #5169

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Est subsystem deplyment change #5169

wants to merge 2 commits into from

Conversation

fmarco76
Copy link
Member

Following the other change to EST subsystem the deployment has been modified to work like other subsystem, in particular TPS.

The certificates for EST are obtained from the CA after security domain registration. The EST communicate with the CA using the subsystem certificate and it is associated to the "Certificate Manger Agents" role.

The CA administrator has the role for "Enterprise EST Administrators".

The est profile is associated to the new role and it is enabled but not visible by default.

Standalone 2-steps installation is supported as well as the previous installation with certificates provided in a p12.

Test have been updated for the new approach.

@fmarco76
Modify EST deployment to match other subsystems
d6655d6 
EST subsystem has been modified to use the security domain during the
deployment and this is the default behaviour.

Installing with SD the EST subsystem will use the subsystem certificate
to communicate with the CA. An additional subsystem user is created when
deployed in a separate instance.

Alternatively, standalone 2 step installation is provided and in this
case the sslserver and subsystem certificate have to be generated during
installation.

EST cannot create its own SD since the related APIs are not present.
@fmarco76
Update EST tests to use the new deployment approach
7675900
@fmarco76 fmarco76 requested review from edewata and ladycfu August 18, 2025 17:28
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@edewata
Copy link
Contributor

edewata commented Aug 18, 2025
edited
Loading

@fmarco76 @ladycfu How should we handle the database & config changes in an existing CA/EST instance (e.g. PKI 11.6) that gets upgraded?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@edewata edewata Awaiting requested review from edewata

@ladycfu ladycfu Awaiting requested review from ladycfu

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@fmarco76 @edewata