{"id":36454532,"url":"https://github.com/globalsign/est","last_synced_at":"2026-01-11T23:01:38.730Z","repository":{"id":44695664,"uuid":"267637268","full_name":"globalsign/est","owner":"globalsign","description":"An implementation of the Enrollment over Secure Transport (EST) certificate enrollment protocol","archived":false,"fork":false,"pushed_at":"2025-11-19T15:01:30.000Z","size":235,"stargazers_count":60,"open_issues_count":2,"forks_count":28,"subscribers_count":10,"default_branch":"master","last_synced_at":"2025-11-19T16:04:48.951Z","etag":null,"topics":["est","hsm","pki","rfc7030","tpm","tpm-authentication","tpm2"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/globalsign.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2020-05-28T16:16:03.000Z","updated_at":"2025-11-19T14:48:54.000Z","dependencies_parsed_at":"2024-04-09T16:38:19.840Z","dependency_job_id":"9682720f-5852-44d5-acaa-f503711bb2a9","html_url":"https://github.com/globalsign/est","commit_stats":null,"previous_names":[],"tags_count":8,"template":false,"template_full_name":null,"purl":"pkg:github/globalsign/est","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/globalsign%2Fest","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/globalsign%2Fest/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/globalsign%2Fest/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/globalsign%2Fest/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/globalsign","download_url":"https://codeload.github.com/globalsign/est/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/globalsign%2Fest/sbom","scorecard":{"id":430001,"data":{"date":"2025-08-11","repo":{"name":"github.com/globalsign/est","commit":"a0d54bbd928ca8f8aa102c0c7672bcff25c4d1ca"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":4.8,"checks":[{"name":"Code-Review","score":7,"reason":"Found 7/9 approved changesets -- score normalized to 7","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Maintained","score":4,"reason":"5 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 4","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/go.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/go.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/globalsign/est/go.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/go.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/globalsign/est/go.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/go.yml:51: update your workflow using https://app.stepsecurity.io/secureworkflow/globalsign/est/go.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/go.yml:54: update your workflow using https://app.stepsecurity.io/secureworkflow/globalsign/est/go.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/go.yml:75: update your workflow using https://app.stepsecurity.io/secureworkflow/globalsign/est/go.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/go.yml:78: update your workflow using https://app.stepsecurity.io/secureworkflow/globalsign/est/go.yml/master?enable=pin","Info:   0 out of   6 GitHub-owned GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Vulnerabilities","score":8,"reason":"2 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GO-2025-3770","Warn: Project is vulnerable to: GO-2025-3487 / GHSA-hcg3-q754-cr77"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"SAST","score":1,"reason":"SAST tool is not run on all commits -- score normalized to 1","details":["Warn: 4 commits out of 28 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-19T03:06:49.233Z","repository_id":44695664,"created_at":"2025-08-19T03:06:49.233Z","updated_at":"2025-08-19T03:06:49.233Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28326166,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-11T22:11:01.104Z","status":"ssl_error","status_checked_at":"2026-01-11T22:10:58.990Z","response_time":60,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["est","hsm","pki","rfc7030","tpm","tpm-authentication","tpm2"],"created_at":"2026-01-11T23:01:38.636Z","updated_at":"2026-01-11T23:01:38.717Z","avatar_url":"https://github.com/globalsign.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# est\n\n[![GoDoc](https://godoc.org/github.com/globalsign/est?status.svg)](https://godoc.org/github.com/globalsign/est)\n[![Build Status](https://github.com/globalsign/est/actions/workflows/go.yml/badge.svg)](https://github.com/globalsign/est/actions/workflows/go.yml)\n[![Go Report Card](https://goreportcard.com/badge/github.com/globalsign/est)](https://goreportcard.com/report/github.com/globalsign/est)\n\nAn implementation of the Enrollment over Secure Transport (EST) certificate\nenrollment protocol as defined by [RFC7030](https://tools.ietf.org/html/rfc7030).\n\nThe implementation provides:\n\n * An EST client library;\n * An EST client command line utility using the client library; and\n * An EST server which can be used for testing and development purposes.\n\nThe implementation is intended to be mostly feature-complete, including\nsupport for:\n\n * The optional `/csrattrs` and `/serverkeygen` operations, with support for\n   server-generated private keys returned with or without additional\n   encryption\n * The optional additional path segment\n * Optional HTTP-based client authentication on top of certificate-based\n   TLS authentication\n\nIn addition, a non-standard operation is implemented enabling EST-like\nenrollment using the privacy preserving protocol for distributing credentials\nfor keys on a Trusted Platform Module (TPM) 2.0 device, as described in Part 1,\nsection 24 of the Trusted Platform Module 2.0 Library specification.\n\n## Installation\n\n    go install github.com/globalsign/est/cmd/estserver@latest\n    go install github.com/globalsign/est/cmd/estclient@latest\n\n## Quickstart\n\n### Starting the server\n\nWhen started with no configuration file, the EST server listens on\nlocalhost:8443 and generates a random, transient Certificate Authority (CA)\nwhich can be used for testing:\n\n    user@host:$ estserver \u0026\n    [1] 62405\n\nRefer to the documentation for more details on using a configuration file.\n\n### Getting the CA certificates\n\nBecause we're using a random, transient CA, we must retrieve the CA certificates\nin insecure mode to establish an explicit trust anchor for subsequent EST\noperations. Since we only need the root CA certificate to establish a trust\nanchor, we use the `-rootout` flag:\n\n    user@host:$ estclient cacerts -server localhost:8443 -insecure -rootout -out anchor.pem\n\nWe will also obtain and store the full CA certificates chain, since we'll use\nit shortly to demonstrate reenrollment. Since we now have an explicit trust\nanchor, we can use it instead of the `-insecure` option. Since we're storing\nthe full chain, we don't use the `-rootout` option here:\n\n    user@host:$ estclient cacerts -server localhost:8443 -explicit anchor.pem -out cacerts.pem\n\n### Enrolling with an existing private key\n\nFirst we generate a new private key, here using openssl:\n\n    user@host:$ openssl genrsa 4096 \u003e key.pem\n    Generating RSA private key, 4096 bit long modulus\n    .................+++\n    .............+++\n    e is 65537 (0x10001)\n\nThen we generate a PKCS#10 certificate signing request, and enroll using the\nexplicit trust anchor we previously obtained:\n\n    user@host:$ estclient csr -key key.pem -cn 'John Doe' -emails 'john@doe.com' -out csr.pem\n    user@host:$ estclient enroll -server localhost:8443 -explicit anchor.pem -csr csr.pem -out cert.pem\n\nUsing a configuration file, we can enroll with a private key resident on a\nhardware module, such as a hardware security module (HSM) or a Trusted Platform\nModule 2.0 (TPM) device. Refer to the documentation for more details.\n\n### Enforcing proof of possession\n\nIf one would like to enforce the PoP as defined in [RFC 7030 section 3.5](https://www.rfc-editor.org/rfc/rfc7030#section-3.5), we have to pass the signing key to EST client so it can include the challenge password in the CSR and then sign it once again.  \n\n    user@host:$ estclient enroll -server localhost:8443 -explicit anchor.pem -csr csr.pem -signingkey key.pem -out cert.pem\n\nReminder,\n\n* the `tls-unique` value mentioned in RFC 7030 is specific to TLS v1.2\n* the options `-key` and `-signingkey` are not necessarily the same\n  * `-key` is used for mTLS purpose like during an initial enroll\n  * `-signingkey` is the key signing the CSR and therefore the one to be enrolled\n\n### Enrolling with a server-generated private key\n\nIf we're unable or unwilling to create our own private key, the EST server can\ngenerate one for us, and return it along with our certificate:\n\n    user@host:$ estclient serverkeygen -server localhost:8443 -explicit anchor.pem -cn 'Jane Doe' -out cert.pem -keyout key.pem\n\nNote that we can omit the `-csr` option when enrolling and the EST client can\ndynamically generate a CSR for us using fields passed at the command line and\nthe private key we specified, or an automatically-generated ephemeral private\nkey if we are requesting server-side private key generation.\n\n### Reenrolling\n\nWhichever way we generated our private key, we can now use it to reenroll.\n\nTo reenroll a previously obtained certificate, we must use it to authenticate\nourselves during the TLS handshake with the EST server. Since our random,\ntransient CA uses an intermediate CA certificate, we must provide a chain of\ncertificates to the EST client, or the TLS handshake may fail.\n\nAlthough providing the root CA certificate is optional for a TLS handshake,\nthe simplest option is to provide the certificate we received along with the\nfull chain of CA certificates which we previously obtained. To do this, we\ncan just append those CA certificates to the certificate we received, and\nuse that chain to reenroll:\n\n    user@host:$ cat cert.pem cacerts.pem \u003e\u003e certs.pem\n    user@host:$ estclient reenroll -server localhost:8443 -explicit anchor.pem -key key.pem -certs certs.pem -out newcert.pem\n\nNote that when we omit the `-csr` option when reenrolling, the EST client\nautomatically generates a CSR for us by copying the subject field and subject\nalternative name extension from the certificate we're renewing.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fglobalsign%2Fest","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fglobalsign%2Fest","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fglobalsign%2Fest/lists"}