Creating Endpoint with your own Certificate Authority

TheLumberjack · May 3, 2022, 1:50am

Ok. The video is below. The key is the name of the identity. It needed to follow the “[caName]-[commonName]” format or else it wouldn’t connect. Also the api paths were no longer valid. Good luck - hopefully this helps

Here are the full instruction set - it’s quite long and ‘dense’… [Edited - ZITI_PKI]

# generate a new CA
ca_name="new_ca_$(date +"%H%M%S")"
ca_dir=${ZITI_PKI}/$ca_name

echo "New CA is named   : ${ca_name}"
echo "New CA directory  : ${new_ca_dir}"

# create the PKI using the CLI
ziti pki create ca \
    --pki-root="${ZITI_PKI}" \
    --ca-file "${ca_name}" \
    --ca-name "${ca_name}"

------------------

# use ZAC and add the CA
cat "$ZITI_PKI/${ca_name}/certs/${ca_name}.cert"

------------------

# use your env file to get a zt_session header - used for curls below
export zt_session=$(curl -sk -H "Content-Type: application/json" \
    https://${ZITI_EDGE_CTRL_ADVERTISED}/authenticate?method=password \
    -d "{\"username\":\"${ZITI_USER}\",\"password\":\"${ZITI_PWD}\"}" \
    | jq -j .data.token)

# grab the id of the ca you just created - used below
ca_id=$(curl -sk \
    -H "Content-Type: application/json" \
    -H "zt-session: ${zt_session}" \
    "https://${ZITI_EDGE_CTRL_ADVERTISED}/edge/management/v1/cas" \
    | jq -j '.data[].id')
    
echo "New CA resides at : $ZITI_PKI/${ca_name}/certs/${ca_name}.cert"
echo "New CA has id     : ${ca_id}"

------------------

# Using ZAC - find the verification id. verify the CA cert...
identity_to_verify="<copy verification id here>"
ziti pki create client \
    --pki-root="${ZITI_PKI}" \
    --ca-name=${ca_name} \
    --client-name=${identity_to_verify} \
    --client-file=${identity_to_verify}
echo "New client lives at   : $ZITI_PKI/${ca_name}/certs/${identity_to_verify}.cert"

------------------

# set your identity name. this is VITAL you need to use the format of "[caName]-[commonName]
# you can see when looking at the json that this is output:
#      "identityNameFormat": "[caName]-[commonName]",
# this was my missing step. presenting a cert that doesn't match this pattern makes it fail to auth      
identity_name="${ca_name}-ca_id_$(date +"%H%M%S")"

echo "New Identity named: ${identity_name}"

ziti pki create client \
    --pki-root="${ZITI_PKI}" \
    --ca-name=${ca_name} \
    --client-name=${identity_name} \
    --client-file=${identity_name}
    
----------------

# create a new identity - I couldn't find a 'ziti cli' nor 'ZAC' way of doing this. Needed to use the API
identity_id=$(curl -sk \
    -H "Content-Type: application/json" \
    -H "zt-session: ${zt_session}" \
    "https://${ZITI_EDGE_CTRL_ADVERTISED}/edge/management/v1/identities" \
    -d '{ "name": "'"${identity_name}"'", "type": "User", "isAdmin":false, "enrollment": { "ottca": "'"${ca_id}"'" } }' \
    | jq -j '.data.id'
    )

jwt_file="${ZITI_PKI}/${identity_name}.jwt"
echo "Third Party OTT identity created. ID: ${identity_id}"

# get the jwt from the controller - used to enroll...
curl -sk -H "Content-Type: application/json" \
     -H "zt-session: ${zt_session}" \
     "https://${ZITI_EDGE_CTRL_ADVERTISED}/edge/management/v1/identities/${identity_id}" \
     | jq -j .data.enrollment.ottca.jwt > ${jwt_file}
     
echo "using jwt at ${jwt_file} to enroll"

# you need the CA bundle in order to enroll - this command grabs the ca bundle
curl -sk https://${ZITI_EDGE_CTRL_ADVERTISED}/.well-known/est/cacerts > ${ZITI_PKI}/fetched-ca-certs.p7
openssl base64 -d -in ${ZITI_PKI}/fetched-ca-certs.p7 | openssl pkcs7 -inform DER -outform PEM -print_certs -out ${ZITI_PKI}/fetched-ca-certs.pem
identity_full_ca_path="${ZITI_PKI}/fetched-ca-certs.pem"

# actually enroll the identity
ziti edge enroll \
    --jwt "${jwt_file}" \
    --cert "$ZITI_PKI/$ca_name/certs/${identity_name}.cert" \
    --key "$ZITI_PKI/$ca_name/keys/${identity_name}.key" \
    --idname "${identity_name}" \
    --ca "${identity_full_ca_path}" \
    --out "$ZITI_PKI/$ca_name/keys/${identity_name}.json"



ziti edge create config 'eth0.host.v1' host.v1 '{"protocol":"tcp", "address":"eth0.me","port":80}'
ziti edge create config 'eth0.intercept.v1' intercept.v1 '{"protocols":["tcp"],"addresses":["eth0.discourse.ziti"], "portRanges":[{"low":80, "high":80}]}'
ziti edge create service 'eth0' --configs 'eth0.intercept.v1','eth0.host.v1'

ziti edge create service-policy 'eth0.binding' Bind --service-roles '@eth0' --identity-roles "@${identity_name}"

ziti edge create service-policy 'eth0.dialing' Dial --service-roles '@eth0' --identity-roles '@eth0.client'

# run the ziti-edge-tunnel with our newly provisioned identity
sudo ~/ziti-edge-tunnel run -i "$ZITI_PKI/$ca_name/keys/${identity_name}.json"


# delete the 'eth0' services/configs if needed
ziti edge delete config 'eth0.host.v1'
ziti edge delete config 'eth0.intercept.v1'
ziti edge delete service 'eth0'
ziti edge delete service-policy 'eth0.binding'
ziti edge delete service-policy 'eth0.dialing'

Topic		Replies	Views
3rd party CA problems/Questions General Questions	10	637	July 5, 2022
Totally custom, self-maintained PKI Ziti Overlay	6	295	August 25, 2022
Is there any way to add the user identity using command line remotely? Support	4	217	April 17, 2023
Ziti cli user question General Questions	1	302	August 25, 2022
Ziti edge enrol identity not inserting CA bundle Ziti Overlay	33	408	November 5, 2022

Creating Endpoint with your own Certificate Authority

Related Topics