All ok… it has provided time to work through the difference between a self signed certificate authority… and a public certificate authority.
its like opposite ends of the string.
The reason why this is so important is because I need to setup a simple test environment to showcase a golang reverse proxy over a dark network using Ziti
If I can work through the process of “verifiying” a new self signed certificate authority… and create new identities from it… I should be able to get my demonstration working
The problem all started when I wanted to host a proxy server for an Apex application. The server automatically created a self signed certificate which worked a treat… until I tried to connect to the server using a golang reverse proxy.
The Ziti network does not recognise the self signed certificate because its not from a trusted source (ie. a public certificate authority).
This is also why the reverse proxy works for my website… because its created from a public certificate authority… with wildcard DNS and SAN
I did register a public DNS for the server to have a certificate created by a public certificate authority… this did solve the “trust” issue… but created other errors because the certificate did not have a wildcard DNS… nor did it use SAN… which are needed for the golang reverse proxy to work
Unfortunately… the free “certificate authorities” do not allow you to have wildcard DNS names or SANs very easily… and its not something I was able to setup with my current providers
I could use another register to create a certificate with a wildcard DNS and SAN but its a bit more than I was wanting to pay… as it’s only for a one time use purpose.
So… to do a bit more testing… I sourced the root certificate and key from the Ziti controller… thinking this was going to solve my problem… because it would allow me to create a server certificate that should be trusted by the controller.
this did not work
I failed big time after a lot of effort to set this up… because it stopped the server from starting up.
you cannot do this
The problem is… when you start a server over TLS… it will use the certificate and key to validate the origin of the server… so its going to go looking for that public certificate authority… but it cannot find it…
this is similar to the error you get when you open up a web page that secured with a self signed certificate…
What confused me a lot … was that the server can start with a self signed certificate authority… because… it is the certificate authority
however… when you visit your website over a browser… it does not recognised the certificate authority
this one difference is something stamped on my forehead now
Hence, when you use a server certificate created from the ziti controller certificate authority…it cannot find the ziti controller self signed certificate authority … causing the server to fail to start.
what is the error message you get back
All you observe is… sorry… the server did not start… it does not provide any explanation as to why…other than… a cryptic reference to your certificate key with no explanation as to why
So I am now back to the starting point… of using a self signed certificate authority in the format that I need
openssl req -new -sha256 -key server.key -out server.csr -subj “/CN=.markamind.online"
I then need to verify this certificate authority in Ziti by creating a client certificate with the validation key…
Once this is done… I then need to create a new server identity for the reverse proxy that is created with the “trusted” certificate authority.
there are two specific problems that I am having with this.
#1. I cannot download the certificate authority JWT file to create auto enrolled identities
#2. I can create identities with the verified self signed certificate authority… but I cannot download the identity JWT file to enrol it.
These two specific points are where I am stuck
This was why I started to look around … to see if there was any reference point that I can learn from…
I look forward to your response… and keen to test it… as if I can work through to the point of creating an enrolled identity from a verified self signed certificate authority… it will be a massive milestone… and time for a small (large) celebration
Hopefully… my experience can help others also going through this experience… its a whole new world outside AppDev… that I never fully appreciated… but now I certainly do… its a minefield … :