add EST provisioner

[jbpin]

Implementation of [RFC 7030] (https://datatracker.ietf.org/doc/html/rfc7030).
Support TLS client certificate authentication and basic auth.
Support webhook for authentication, notification and data.
Not covered :

• full CMC
• server-side key generation

Name of feature:

EST protocol support (RFC7030)

Pain or issue this feature alleviates:

add support for a protocol that was not yet implemented in certificates

Why is this important to the project (if not answered above):

EST is a protocol used by the industry

Is there documentation on how to use this feature? If so, where?

not yet :/

Supporting links/other PRs/issues:

#2366
#14
💔Thank you!

[CLAassistant]

All committers have signed the CLA.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

---

Jean-Baptiste Pin seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[s5657]

Hi @jbpin
thanks for your great contribution for EST 👍
Looks like the PR #2507 will not be proceeded until the license-bot gets your GO:

license/cla
Waiting for status to be reported — Contributor License Agreement is not signed yet.

Just my 2 cents,
a step-ca user liking EST

[jbpin]

You can use replace github.com/smallstep/linkedca => github.com/jbpin/linkedca v0.0.0-20260108080200-10b2f2764841 at the end of the go.mod in the cli project to get a step ca command that support EST.

[elmobp]

Any update on the CLA getting signed?

[Viva-Linn]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

Jean-Baptiste Pin seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
You have signed the CLA already but the status is still pending? Let us recheck it.

Would be great to get the CLA signed. @jbpin please have a look.

[jbpin]

I've signed it several times... verify my email address is correct. any ideas ?

[Viva-Linn]

I think it's because you committed your changes as "Jean-Baptiste Pin", which does not seem to be GitHub user. Maybe you used an email address not connected to your GitHub account in your local IDE when committing. Just a guess. Would love to see EST in Step.

[jbpin]

git log
commit 6d6e690e0baef4c369428b4ea9dfe39c0c446bfa (HEAD -> android, origin/android)
Author: Jean-Baptiste Pin <>

[jbpin]

commit 6d6e690e0baef4c369428b4ea9dfe39c0c446bfa (HEAD -> android, origin/android)
Author: Jean-Baptiste Pin <>

I think this explain why. @hslatman can you handle this? Let me know if there is any things you want me to do.

[hslatman]

I'm not sure if we can (easily) bypass the CLA signing to match the name in the (current) Git history, even though you're that person.

What I think could work:

• set email in local Git clone of certificates to an email that GitHub also knows about. Within the certificates directory, do git config user.email "someone@example.com.
• rebase your current work in the android / est-provisioner branch on top of current master. This will rewrite history, with the new email. Ensure you have an up-to-date master first, then checkout android / est-provisioner, and do git rebase --interactive master.
• force push your changes

It might be possible to use the noreply address that GitHub provides, but I'm not sure if the CLA bot accepts that.

Alternatively, I could look into doing the rebasing, and changing the commit author that way.

[jbpin]

@hslatman, thank you. I've done my best I hope I do not break dependancies.