Guides, API reference, and compliance documentation for the kipuka EST enrollment server.
Complete annotated reference for kipuka.toml — server, TLS, database, CA, EST, HSM, OTP, HA, and audit settings.
kipuka.tomlComponent diagrams, crate structure, EST operation data flows, and HSM integration points.
architecture.mdEST protocol testing with curl and openssl, HSM development setup with Kryoptic, and database migration procedures.
PROJECT.mdMapping of kipuka capabilities to NIAP CA PP v2.0 security functional requirements.
NIAP CA PP v2.0Certificate profile enforcement, validity constraints, and BR compliance mapping.
CA/B Forum BRPer-vendor PKCS#11 configuration, key generation capabilities, and known limitations for Entrust, Utimaco, Thales, and Kryoptic.
PKCS#11| Operation | Path | Method | Description |
|---|---|---|---|
| CA Certs | /.well-known/est/cacerts |
GET |
Retrieve current CA certificates (no auth required) |
| Simple Enroll | /.well-known/est/simpleenroll |
POST |
Initial certificate enrollment (OTP or mTLS auth) |
| Simple Re-enroll | /.well-known/est/simplereenroll |
POST |
Certificate renewal with existing client cert (mTLS) |
| Full CMC | /.well-known/est/fullcmc |
POST |
Full CMC enrollment (RFC 5272) for complex requests |
| Server Keygen | /.well-known/est/serverkeygen |
POST |
Server-side key generation with KRA escrow |
| CSR Attributes | /.well-known/est/csrattrs |
GET |
Advertise supported CSR attributes and algorithms |
All endpoints support
EST label routing:
/.well-known/est/<label>/simpleenroll
Server binary, axum routes, configuration, authentication, and CA management.
cargo docEST protocol operations, CSR parsing, certificate issuance, and CMS message handling.
cargo docPKCS#11 HSM integration, key operations, signing, and slot management.
cargo doc