That's an accurate paraphrase. Nicely done.
Yes. If, for example, someone launches a man-in-the-middle attack, Ziti's mTLS will reject the unauthorized request, and you'll get errors from zrok.
zrok (stylized with a lowercase z) runs on Ziti, and Ziti uses mutual TLS. Ziti is a platform, zrok's foundation is the Ziti platform, and zrok uses Ziti's APIs and SDKs to do security and networking stuff that would otherwise be a lot more difficult. You can do the same and accelerate building custom apps with built-in Ziti superpowers, possibly using zrok as an example. That's what Ziti is all about!
Yes, your zrok instance's Ziti PKI is unique to you. You can set the x509 distinguished name (DN) of your authority and the identities that it issues to anything you wish. It's not exposed as a convenient input, but it's not difficult. Here's a parallel forum topic where I gave some hints about this.
For example, replace all the values like dn* with whatever you want to appear in the server certificate's DN.
docker compose exec ziti-quickstart \
ziti pki create server \
--pki-root "/ziti-controller/pki" \
--server-file "server" \
--ca-name "intermediate-ca" \
--server-name "dnCN" \
--pki-country "dnC" \
--pki-province "dnS" \
--pki-locality "dnL" \
--pki-organization "dnO" \
--pki-organizational-unit "dnOU" \
--dns "localhost,ziti.libregalaxy.org" \
--ip "127.0.0.1,::1" \
--allow-overwrite
If it doesn't change immediately you need to restart the container. This command prints the current server certificate's DN:
openssl s_client -connect ziti.libregalaxy.org:1280 <>/dev/null \
|& openssl x509 -noout -subject
e.g.,
subject=C = US, L = Charlotte, O = NetFoundry, OU = ADV-DEV, CN = server