I'm reading about Enrollment over Secure Transport (EST) protocol and in the protocol, it says that the EST server could authenticate a client using a client certificate or HTTP Basic Auth or OAuth-2.0. But where does the client gets this client certificate? Is it given to the client by an administrator by an external means (like an Email)?
But where does the client gets this client certificate?
RFC 7030 section 2.2 "Initial Enrollment" says about this:
The EST server authenticates and authorizes the EST client as specified in Sections 3.3.2, 3.3.3, and 3.7. The methods described in the normative text that are discussed in this overview include:
- TLS with a previously issued client certificate (e.g., an existing certificate issued by the EST CA);
- TLS with a previously installed certificate (e.g., manufacturer- installed certificate or a certificate issued by some other party);
So, it assumes that the client certificate is installed already in some secure way. It does not discuss the distribution of the client certificate used for initial authentication, but instead gives some examples who could have installed it. Since there are usually established processes when enrolling clients (like software installation, issuing of credentials, ...) you might consider this part of this enrollment process.
Note that you have similar security requirements for other forms of authentication, i.e. also username and password have to be known to the client up-front and thus have to be somehow securely distributed or installed before use.