Skip to main content
Skip table of contents

EST over CoAP


EJBCA supports the EST over secure CoAP (EST-coaps) protocol as defined in Enrollment over Secure Transport (EST) with the Constrained Application Protocol (CoAP), RFC 9148. The document defines how to transport EST payloads over secure CoAP (EST-coaps), which allows constrained devices to use existing EST functionality for provisioning certificates. The EST over secure CoAP protocol is a secure method for enrolling and managing digital certificates in IoT devices that have limited resources such as processing power, memory, and energy.

As of EJBCA 8.0, EST over secure CoAP is available in the EJBCA Local RA (LRA) Software Appliance used in combination with an EJBCA CA instance deployed separately from the EJBCA LRA Software Appliance.

The following sections provide an overview of EST over CoAP support in EJBCA.

EST over CoAP in EJBCA

To use the CoAP Proxy, client authentication is always required, and the EST alias may be configured in client or RA mode and must be used with vendor certificate mode and a birth certificate. For more information, see EST Client Mode Configuration or EST RA Mode Configuration.

The client sends a binary request using DTLS client authentication, and the CoAP Proxy transfers the request as a REST call to EJBCA, utilizing TLS client authentication.


  • Both EST and REST Coap Management need to be enabled in EJBCA System Configuration > Protocol Configuration.
  • EST alias should be configured in client or RA mode and used with vendor certificate mode
  • Note that one CA name should be selected in the EST alias. The CoAP proxy does not have the capability to select a CA name other than the one configured in the alias.

Enroll a vendor birth certificate

To enroll a vendor birth certificate, the CoAP client uses the simplified /sen operation, which is a form of the EST operation simpleenroll. The CoAP proxy transforms the request to a REST call formatted to utilize the EST protocol in EJBCA. For an EST request in client mode and vendor mode, the birth certificate and a Certificate Signing Request (CSR) must be included in the request, where the birth certificate is used for authentication. The details in the CSR must match the certificate details in the birth certificate for the CA to accept the request and issue a certificate.


For enrollment, use the relative URL: .well-known/est/{est_alias}/sen and for re-enrollment, use: .well-known/est/{est_alias}/sren.

Re-enroll a certificate

To re-enroll a certificate, the issued certificate is used as authentication and is included with the CSR in the request. The details in the CSR still have to match the certificate details for re-enrollment to be allowed. The operation used for re-enrollment is /sren from the CoAP.

Get CA certificate chain

The CoAP proxy retrieves the alias configuration from EJBCA, which includes available aliases and CA certificate chains, at regular intervals. The frequency of this call can be adjusted in the file. The CoAP client operation, to get the CA certificate chains is /crts.

Server-side key-generation 

This operation is optional in RFC 9148.

If the CoAP client is making use of the /skg operation, EJBCA will create a key pair and provide the public key along with the certificate. Even if a public key is included with the CSR, EJBCA will not consider it and generate a fresh key pair.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.