Ok. The video is below. The key is the name of the identity. It needed to follow the “[caName]-[commonName]” format or else it wouldn’t connect. Also the api paths were no longer valid. Good luck - hopefully this helps
Here are the full instruction set - it’s quite long and ‘dense’… [Edited - ZITI_PKI]
# generate a new CA
ca_name="new_ca_$(date +"%H%M%S")"
ca_dir=${ZITI_PKI}/$ca_name
echo "New CA is named : ${ca_name}"
echo "New CA directory : ${new_ca_dir}"
# create the PKI using the CLI
ziti pki create ca \
--pki-root="${ZITI_PKI}" \
--ca-file "${ca_name}" \
--ca-name "${ca_name}"
------------------
# use ZAC and add the CA
cat "$ZITI_PKI/${ca_name}/certs/${ca_name}.cert"
------------------
# use your env file to get a zt_session header - used for curls below
export zt_session=$(curl -sk -H "Content-Type: application/json" \
https://${ZITI_EDGE_CTRL_ADVERTISED}/authenticate?method=password \
-d "{\"username\":\"${ZITI_USER}\",\"password\":\"${ZITI_PWD}\"}" \
| jq -j .data.token)
# grab the id of the ca you just created - used below
ca_id=$(curl -sk \
-H "Content-Type: application/json" \
-H "zt-session: ${zt_session}" \
"https://${ZITI_EDGE_CTRL_ADVERTISED}/edge/management/v1/cas" \
| jq -j '.data[].id')
echo "New CA resides at : $ZITI_PKI/${ca_name}/certs/${ca_name}.cert"
echo "New CA has id : ${ca_id}"
------------------
# Using ZAC - find the verification id. verify the CA cert...
identity_to_verify="<copy verification id here>"
ziti pki create client \
--pki-root="${ZITI_PKI}" \
--ca-name=${ca_name} \
--client-name=${identity_to_verify} \
--client-file=${identity_to_verify}
echo "New client lives at : $ZITI_PKI/${ca_name}/certs/${identity_to_verify}.cert"
------------------
# set your identity name. this is VITAL you need to use the format of "[caName]-[commonName]
# you can see when looking at the json that this is output:
# "identityNameFormat": "[caName]-[commonName]",
# this was my missing step. presenting a cert that doesn't match this pattern makes it fail to auth
identity_name="${ca_name}-ca_id_$(date +"%H%M%S")"
echo "New Identity named: ${identity_name}"
ziti pki create client \
--pki-root="${ZITI_PKI}" \
--ca-name=${ca_name} \
--client-name=${identity_name} \
--client-file=${identity_name}
----------------
# create a new identity - I couldn't find a 'ziti cli' nor 'ZAC' way of doing this. Needed to use the API
identity_id=$(curl -sk \
-H "Content-Type: application/json" \
-H "zt-session: ${zt_session}" \
"https://${ZITI_EDGE_CTRL_ADVERTISED}/edge/management/v1/identities" \
-d '{ "name": "'"${identity_name}"'", "type": "User", "isAdmin":false, "enrollment": { "ottca": "'"${ca_id}"'" } }' \
| jq -j '.data.id'
)
jwt_file="${ZITI_PKI}/${identity_name}.jwt"
echo "Third Party OTT identity created. ID: ${identity_id}"
# get the jwt from the controller - used to enroll...
curl -sk -H "Content-Type: application/json" \
-H "zt-session: ${zt_session}" \
"https://${ZITI_EDGE_CTRL_ADVERTISED}/edge/management/v1/identities/${identity_id}" \
| jq -j .data.enrollment.ottca.jwt > ${jwt_file}
echo "using jwt at ${jwt_file} to enroll"
# you need the CA bundle in order to enroll - this command grabs the ca bundle
curl -sk https://${ZITI_EDGE_CTRL_ADVERTISED}/.well-known/est/cacerts > ${ZITI_PKI}/fetched-ca-certs.p7
openssl base64 -d -in ${ZITI_PKI}/fetched-ca-certs.p7 | openssl pkcs7 -inform DER -outform PEM -print_certs -out ${ZITI_PKI}/fetched-ca-certs.pem
identity_full_ca_path="${ZITI_PKI}/fetched-ca-certs.pem"
# actually enroll the identity
ziti edge enroll \
--jwt "${jwt_file}" \
--cert "$ZITI_PKI/$ca_name/certs/${identity_name}.cert" \
--key "$ZITI_PKI/$ca_name/keys/${identity_name}.key" \
--idname "${identity_name}" \
--ca "${identity_full_ca_path}" \
--out "$ZITI_PKI/$ca_name/keys/${identity_name}.json"
ziti edge create config 'eth0.host.v1' host.v1 '{"protocol":"tcp", "address":"eth0.me","port":80}'
ziti edge create config 'eth0.intercept.v1' intercept.v1 '{"protocols":["tcp"],"addresses":["eth0.discourse.ziti"], "portRanges":[{"low":80, "high":80}]}'
ziti edge create service 'eth0' --configs 'eth0.intercept.v1','eth0.host.v1'
ziti edge create service-policy 'eth0.binding' Bind --service-roles '@eth0' --identity-roles "@${identity_name}"
ziti edge create service-policy 'eth0.dialing' Dial --service-roles '@eth0' --identity-roles '@eth0.client'
# run the ziti-edge-tunnel with our newly provisioned identity
sudo ~/ziti-edge-tunnel run -i "$ZITI_PKI/$ca_name/keys/${identity_name}.json"
# delete the 'eth0' services/configs if needed
ziti edge delete config 'eth0.host.v1'
ziti edge delete config 'eth0.intercept.v1'
ziti edge delete service 'eth0'
ziti edge delete service-policy 'eth0.binding'
ziti edge delete service-policy 'eth0.dialing'