3rd Party CA - Auto Enrollment

Building/Development
1

Hi, I was trying auto enrollment using a third party ca, however i couldnt find any detailed flow of how to proceed with, I have registered a third party ca, pls explain how its different from one time enrollment ( ott) and what steps to follow

2

Hi @dexter,

Just so I understand. You have a PKI, you created a CA that can sign other certs, you added the 3rd party CA in the controller and verified it, and now you want to create a certificate from your own maintained pki and use it to authenticate to your overlay network. Do I have all that correct?

If that's the situation, you now need to create an identity file that references your key, cert and ca bundle. That ends up looking something like this example here, that I use for my mattermost identity (the chat app we use here at NetFoundry is protected via OpenZiti)

{
  "ztAPI": "https://dns.of.your.controller:8441",
  "id": {
    "key": "file:///Windows/System32/config/systemprofile/AppData/Roaming/NetFoundry/mm.key",
    "cert": "file:///Windows/System32/config/systemprofile/AppData/Roaming/NetFoundry/mm.cert",
    "ca": "file:///Windows/System32/config/systemprofile/AppData/Roaming/NetFoundry/mm.ca"
  },
  "configTypes": null
}

ztAPI: the address of your controller's client API (usually 8441 if you used a quickstart)
id.key: a path to a file on your system that represents the key to use
id.cert: a path to a file on your system that represents the cert to use
id.ca: a path to the ca bundle from your controller. Generally you can obtain this in pkcs7 format from the .well-known url. I'll often use a command like this:

curl -skSf https://127.0.0.1:1280/.well-known/est/cacerts \
     | base64 -d \
     | openssl pkcs7 -inform DER -outform PEM -print_certs \
     > ./bundle.pem

I've not done this recently, so forgive me if i missed a step but we can work through it if that's not enough information...

Once you have the identity file created and referencing your files, your tunneler or sdk application will be able to authenticate to the controller. You can test your authentication easily using the ziti cli too.

ziti edge login %CTRL_URL% --client-cert mm.cert --client-key mm.key --ca mm.ca
Token: 7fc81cc2-d1c4-41b7-b886-57291246ed1d
Saving identity 'default' to C:\Users\clint\.ziti\ziti-cli.json

That way you'll know if you have things setup properly. hth