I am using internal CA issued x509 certificates to do auto enrollment of identities and its working as expected.
I was able to define a “static” role attribute which gets applied to all identities on enrollment, but is it possible to apply dynamic attributes coming from the certificate e.g. CN of the identity?
TIA
@andrew.martinez will know this better than me. I’ll have to root around and find out. Give us a bit to answer this one. If I recall, the CN can be used to influence the name and “something” can be used to assign attribute automatically but I think that’s configured on the CA, not on the presented cert when connecting… And actually, I think these rules are all declared on the CA when making the 3rd party CA…
I know this is vague info - so let me root around or get andrew to reply 
Probably won’t be for a bit.
Sure, I am using the dynamic format for naming the auto enrolled identities but considering names have to be unique, ziti automatically adds auto incrementing sequence number as the suffix to the name.
So I am hoping if name can be derived from the incoming cert CN, attribute too. 
The CN can be used in the identityNameFormat on the 3rd Party CA to help define the name during enrollment.
For attributes, there is currently no dynamic way to assign them. We have talked about it as a feature, but no one has asked about it till now. Mapping them based on CN is one path. The other path uses a library I wrote for this called x509 Claims. It allows arbitrary claims to be stuffed into x509 SANs/CN.
The implementation I had in mind would allow the actual role attributes to be retrieved from x509 certificate from any number of fields. However, thinking about it, it might be useful to add a layer of abstraction that allows one to pull out claims that then can either map directly to attribute rules or sets of them.
Either way, this isn’t implemented now, but it is something we have had in the hopper as “something people might want.”
Thank you for the answer. I will create a Github issue for this. I believe this feature will be very helpful. The use case I am looking at, the lifespan of an enrolled identity is not very long, there are multiple endpoints (could be 100s) running with the same identity and there is a good amount of churn because of deployments.
Without the dynamic attributes, I will have to come up with some kind of automation to assign role attributes to identities after the enrollment.
Do you have any recommendations about how I should approach it?
Your “internal CA” is external to Ziti, correct?
It’s also possible to create the identity in Ziti with specific role attributes for use with your 3rd party CA that you have previously verified in the Ziti Controller.
This changes the enrollment procedure significantly because the enrollment token is a single use secret when the identity is created in advance, whereas the token is a reusable public value with auto-enrollment.