pub async fn post_simplereenroll(
auth: EstAuth,
label: LabelExtractor,
__arg2: State<Arc<AppState>>,
body: Bytes,
) -> Result<Response, KipukaError>Expand description
POST /.well-known/est/simplereenroll
Accepts a PKCS#10 CSR (base64-encoded) and returns a PKCS#7 certs-only response containing the renewed certificate.
§Authentication
MUST authenticate via mTLS — the client presents the certificate being renewed. OTP and GSSAPI are not accepted for re-enrollment.
§POP Linking (RFC 7030 §3.5)
The TLS client certificate subject MUST match the CSR subject. This prevents an attacker from using a compromised certificate to request a certificate for a different identity.
§Revocation Check (RHELBU-3536 R21)
The server verifies the client certificate has not been revoked before accepting the re-enrollment request. This prevents revoked certificates from being used to obtain new certificates.
§Request
| Header | Value |
|---|---|
| Content-Type | application/pkcs10 |
| Body | Base64-encoded DER PKCS#10 CSR |
§Response
| Header | Value |
|---|---|
| Status | 200 OK or 202 Accepted |
| Content-Type | application/pkcs7-mime; smime-type=certs-only |
§Errors
400 Bad Request— malformed CSR, POP linking failure401 Unauthorized— mTLS required but not provided403 Forbidden— client certificate revoked415 Unsupported Media Type— wrong Content-Type500 Internal Server Error— CA signing failure