H.3 Initial Enrolment
In EST a web operation is used to enrol a client. The EST server authenticates and authorizes the EST client before allowing the operation to proceed. In OPC UA, a Method is used to request a Certificate. The CertificateManager also authenticates and authorizes the client before allowing the operation to proceed. Table H.2 compares how EST Servers verify the EST client with how a CertificateManager verifies a CertificateManager client.
| EST | OPC UA |
|---|---|
| TLS with a client certificate which is previously issued by the EST server. | The CertificateManager client has a previously certificate previously issued by the GDS. |
| TLS with a previously installed certificate which is trusted by the EST server. | The CertificateManager client has a certificate which is trusted by the CertificateManager. |
| Shared credentials distributed out of band which are used for certificate-less TLS. | No equivalent. |
| HTTPS username/password authentication. | The CertificateManager client provides appropriate user credentials when it establishes the session. |