Hi @kashif, here is an updated set of steps...
Setup some variables for the server
Make sure the end result looks right. You want to make sure you see your control plane and edge api in the DNS ENTRIES list at the end, and you want to make sure the IP ENTRIES is correct as well (if any).
export ZITI_CTRL_IDENTITY_KEY="${ZITI_PKI_OS_SPECIFIC:$ZITI_HOME/pki}/${ZITI_CONTROLLER_INTERMEDIATE_NAME}/keys/${ZITI_CTRL_ADVERTISED_ADDRESS}-server.key"
export ZITI_EDGE_CTRL_IDENTITY_KEY=export ZITI_EDGE_CTRL_IDENTITY_KEY="${ZITI_PKI_OS_SPECIFIC}/${ZITI_EDGE_CONTROLLER_INTERMEDIATE_NAME}/keys/${ZITI_CTRL_EDGE_ADVERTISED_ADDRESS}-server.key"
export ZITI_PKI_OS_SPECIFIC="$HOME/.ziti/quickstart/$(hostname)/pki"
now="$(date '+%Y-%m-%d-%M%S')"
pki_allow_list_dns="localhost"
if [[ "${ZITI_CTRL_ADVERTISED_ADDRESS}" != "" ]]; then pki_allow_list_dns="${pki_allow_list_dns},${ZITI_CTRL_ADVERTISED_ADDRESS}"; fi
if [[ "${ZITI_CTRL_EDGE_ADVERTISED_ADDRESS}" != "" ]]; then pki_allow_list_dns="${pki_allow_list_dns},${ZITI_CTRL_EDGE_ADVERTISED_ADDRESS}"; fi
if [[ "${EXTERNAL_DNS}" != "" && \
("${EXTERNAL_DNS}" != "${ZITI_CTRL_ADVERTISED_ADDRESS}" && \
"${EXTERNAL_DNS}" != "${ZITI_CTRL_EDGE_ADVERTISED_ADDRESS}") ]]; then
pki_allow_list_dns="${pki_allow_list_dns},${EXTERNAL_DNS}"
fi
pki_allow_list_ip="127.0.0.1"
if [[ "${ZITI_EDGE_CONTROLLER_IP_OVERRIDE}" != "" ]]; then pki_allow_list_ip="${pki_allow_list_ip},${ZITI_EDGE_CONTROLLER_IP_OVERRIDE}"; fi
echo "DNS ENTRIES : $pki_allow_list_dns"
echo "IP ENTRIES : $pki_allow_list_ip"
echo "CTRL KEY FILE: ${ZITI_PKI_CTRL_KEY}"
echo "EDGE KEY FILE: ${ZITI_PKI_EDGE_KEY}"
Create a new Server cert for the control plane
export ZITI_CONTROLLER_INTERMEDIATE_NAME="${ZITI_PKI_CTRL_INTERMEDIATE_NAME}"
export ZITI_CONTROLLER_HOSTNAME="${ZITI_CTRL_ADVERTISED_ADDRESS}"
"${ZITI_BIN_DIR-}/ziti" pki create server \
--pki-root="${ZITI_PKI_OS_SPECIFIC}" \
--ca-name "${ZITI_CONTROLLER_INTERMEDIATE_NAME}" \
--key-file ${ZITI_CONTROLLER_HOSTNAME}-server \
--server-file "${ZITI_CONTROLLER_HOSTNAME}-server.${now}" \
--dns "${pki_allow_list_dns}" \
--ip "${pki_allow_list_ip}" \
--expire-limit 1200 \
--server-name "${ZITI_CONTROLLER_HOSTNAME} server certificate ${now}"
Create a new Server cert for the edge api
export ZITI_EDGE_CONTROLLER_INTERMEDIATE_NAME="${ZITI_PKI_CTRL_EDGE_INTERMEDIATE_NAME}"
export ZITI_EDGE_CONTROLLER_HOSTNAME="${ZITI_CTRL_EDGE_ADVERTISED_ADDRESS}"
"${ZITI_BIN_DIR-}/ziti" pki create server \
--pki-root="${ZITI_PKI_OS_SPECIFIC}" \
--ca-name "${ZITI_EDGE_CONTROLLER_INTERMEDIATE_NAME}" \
--key-file ${ZITI_EDGE_CONTROLLER_HOSTNAME}-server \
--server-file "${ZITI_EDGE_CONTROLLER_HOSTNAME}-server.${now}" \
--dns "${pki_allow_list_dns}" \
--ip "${pki_allow_list_ip}" \
--expire-limit 1200 \
--server-name "${ZITI_EDGE_CONTROLLER_HOSTNAME} server certificate ${now}"
At this point you should be able to follow the rest of those commands at the Update the controller config file location.
I tried it on my quickstart deployed network, but it's hard for me to know if it's exactly right until you try it and verify it.
Let me know how it goes.