3rd Party Auto Enrollment

Im am trying the 3rd party ca Auto enrollment feature instead of ott, but when i enroll the client it gives the following error -:
failed to enroll: expected 1 or more CAs from controller, got 0

Here are the detailed steps that I followed, let me know if I missed out on any step -

#creating a third party ca with isAutoCaEnrollmentEnabled property set to true (cli)
ziti pki create ca --pki-root="${ZITI_PKI}" --ca-file "${ca_name}" --ca-name "${ca_name}"
#copying the cert and adding in the ziti console with the 'is AutoCaEnrollmentEnabled' property enabled
cat "$ZITI_PKI/${ca_name}/certs/${ca_name}.cert"

#next I verified the created ca with the controller by creating a client cert using this ca
ziti edge list cas //gives the verification token
identity_to_verify = {verification token}

ziti pki create client

then I copied this client cert on the console and verified my ca

#Now, I created a client PKI with
client_name as format

ziti pki create client

Now, since identity creation will be automatic, i directly went ahead and enrolled the client using the reusable jwt token from 3rd party ca.

ziti edge enroll --jwt "auto.jwt"
--cert "$ZITI_PKI/$ca_name/certs/${identity_name}.cert"
--key "$ZITI_PKI/$ca_name/keys/${identity_name}.key"
--out "$ZITI_PKI/$ca_name/keys/${identity_name}.json"
failed to enroll: expected 1 or more CAs from controller, got 0

I even tested with the ca bundle

curl -sk https://${ZITI_EDGE_CTRL_ADVERTISED}/.well-known/est/cacerts > ${ZITI_PKI}/fetched-ca-certs.p7
openssl base64 -d -in ${ZITI_PKI}/fetched-ca-certs.p7 | openssl pkcs7 -inform DER -outform PEM -print_certs -out ${ZITI_PKI}/fetched-ca-certs.pem

ziti edge enroll --jwt "auto.jwt" --cert "$ZITI_PKI/$ca_name/certs/${identity_name}.cert" --key "$ZITI_PKI/$ca_name/keys/${identity_name}.key" --ca "${identity_full_ca_path}" --out "$ZITI_PKI/$ca_name/keys/${identity_name}.json"
failed to enroll: expected 1 or more CAs from controller, got 0

1 Like

Thank you for the very helpful and detailed steps. I tried it myself and ran into the same issue. I'll dig around in the code for a minute to see if I have skipped/missed a step or see if there's a bug in there and report back.

1 Like

It's a bug. I filed an issue enrolling with 3rd party ca fails with expected 1 or more CAs from controller, got 0 ยท Issue #487 ยท openziti/sdk-golang ยท GitHub and put a PR up to address the fix. It will get released "soon" but I'm not sure when.

Thanks for letting us know

1 Like

@devawasthi -- this should be fixed in version 0.32.1.

Once 0.32.1 is released, I'll verify and let you know.

Happy to report that 0.32.1 was released just now and fixes this issue. Here's a giant set of steps that "should" just work for you, assuming the variables are all set correctly:


ziti edge login ${ZITI_CTRL_URL} -u admin -p admin -y

ziti pki create ca --pki-root="${ZITI_PKI}" --ca-file "${ca_name}" --ca-name "${ca_name}"
caid=$(ziti edge create ca ${ca_name} "$ZITI_PKI/${ca_name}/certs/${ca_name}.cert" --autoca); echo $caid

identity_to_verify=$(ziti edge list cas 'name = "'${ca_name}'"' -j | jq -r .data[].verificationToken); echo $identity_to_verify

ziti pki create client \
	--pki-root="${ZITI_PKI}" \
	--ca-name=${ca_name} \
	--client-name=${identity_to_verify} \


ziti edge verify ca ${ca_name} --cert $verification_cert

ziti pki create client \
	--pki-root="${ZITI_PKI}" \
	--ca-name=${ca_name} \
	--client-name=${client_name} \

curl -skSf https://${ZITI_CTRL_URL}/.well-known/est/cacerts \
  | base64 -d \
  | openssl pkcs7 -inform DER -outform PEM -print_certs \
  > ./bundle.pem

echo "$ZITI_PKI/$ca_name/certs/${client_name}.cert"

auth_token=$(jq -r .edgeIdentities.default.token $HOME/.config/ziti/ziti-cli.json)
curl -sk -H "Accept: application/json" \
	-H "Content-Type: application/json" \
	-H "zt-session: $auth_token" \
	${ZITI_CTRL_URL}/edge/management/v1/cas/${caid}/jwt > "$ZITI_PKI/$ca_name/auto.jwt"

ziti edge enroll --jwt "$ZITI_PKI/$ca_name/auto.jwt" \
	--cert "$ZITI_PKI/$ca_name/certs/${client_name}.cert" \
	--key "$ZITI_PKI/$ca_name/keys/${client_name}.key" \
	--out "$ZITI_PKI/$ca_name/keys/${client_name}.json"

ziti edge list identities

When done you'll see:

$ ziti edge list identities 'name contains "my_ca_03"'
โ”‚ ID        โ”‚ NAME                     โ”‚ TYPE    โ”‚ ATTRIBUTES โ”‚ AUTH-POLICY โ”‚
โ”‚ 7Q4mdjtnW โ”‚ my_ca_03-my_ca_03.client โ”‚ Default โ”‚            โ”‚ Default     โ”‚
results: 1-1 of 1