Does ZTNA avoid the need for public CA?

I am looking into services that build a certificate authority… where one response was that it unfortunately only provides private certificates.

This trigged something in my mind… from what I understand with a ZTNA configuration… you only need private CA… to facilitate end to end encryption over a public internet… as there is no public host required to facilitate the service

Is this correct?

In the context of Browzer… does this mean that you can host your web apps using private CA… though you would still need a public CA to host the ziti entry point?

I find this a very interesting proposition… as it will create a new reason to prefer private CA over a public CA…


This really is far too big of a topic for the OpenZiti Discourse. There’s just far too many twists and turns to be able to answer this succinctly and every answer will come back as “it depends”. I’m sorry, but I don’t know how to answer your question. :frowning:

In general, I would favor using a certificate from a public, trusted CA as much as possible, whenever possible. It will just make things “easier” since your root of trust will be from a well-known CA, making it so you don’t need to learn “all there is to know about PKI” but really, that’s what you should spend time on to understand this question.

1 Like

It has inspired me more to dig further into PKI… and understand all of the twists and turns.

For instance… the zitified ssh is a ZTAA configuration… that does not use a public CA

Hence… why I am very interested to understand the limitations… in contrast with the things you can do with a little effort… then a lot of effort… to understand where the trade offs are.

I will add this to my list of things to learn more about over the break :slight_smile:

Do you have any specific resources that I can read up on to get really deep into this topic?

Ok. With specific questions like this around zssh, I can give much better answers. :slight_smile: zssh, from my perspective would be ZTAA–>ZTHA. With ssh, this sort of “private PKI” is totally expected since it’s ssh. It’s much more rare to have a known CA behind that and totally orthogonal to much of OpenZiti as well since OpenZiti is providing the secure pipe, and now we’re discussing the protocol that rides OVER that secure pipe… Already, you can see this is getting complex.

Browzer involves browsers and HTTP and is very, very different. APIs are yet another avenue of exploration and private CA might be the best, it might be the worst all depending on your perspective. HTTP/HTTPS… that is the topic that’s just too broad to cover here.

For me, there’s just no substitue for learning by doing. I don’t have any resources for you to look into but I’d wager there’s a bajillion sites on the internet, videos to watch, etc. It’s a very big topic all on it’s own…

Good luck, you’ll be reading and watching a lot! :slight_smile:

1 Like

I found this resource which is filling in a few gaps

I found another one here… that links into a video re SPIFFE… which caught my attention.

The main thing I am seeing at a high level is the difference between encrypting data… and validating a user identity… which require separate key pairs.

Agree with @TheLumberjack here. If we remove the transport layer out of this (ie Ziti / VPN / Local network), you could use a private CA to generate the certificates for the service. However, whether you can use a private CA comes does to three questions:

a) If this likely to be accessed by the public, or a non-company device (could be over Ziti or not)?
If Yes, the a private CA is very unlikely to be used as the overhead of deploying the CA bundle is too hard (lots of friction)
If no, then a private CA could be possible - next question

b) Do you have an easy way of deploying the CA bundle of the private CA to every device that will interact with that service, and by that I mean SCCM, MDT, GPO, Intune, Ansible, Chef, Puppet, Insert product here and not by the user manually doing something?
NO - Then a private CA is too much overhead and will keep the helpdesk busy
YES - a Private might be an option, next question

c) Is the URL/DNS domain name also available in the public space, whether or not the service will be publicly available, ie you want the service to be called, and you have a public DNS zone called
NO - Public CA is a likely option here, or create a public DNS zone and proceed as YES
YES - Don’t use private CA, but instead use LetsEncrypt with DNS authentication. This way, the bot will (re)generate the certificates for you.

Private CAs do require work. If you are issuing only a few certs, it will not be worth it. Fun - but not worth it. I use private CAs in large companies where we issue certificates to the device and users for network authentication, access etc along with internal certificates, as it satisfies all the above questions.


A great summary… thanks for your insights… very valuable :slight_smile: