Expired certs renewed using same keys are giving TLS errors

Hello there! Long time no see(posting)….

So I have my Openziti PKI setup manually as per my guide here GitHub - nenkoru/openziti_manual_pki: Bootstrap PKI for OpenZiti manually · GitHub

And today certs have expired .

I have recreated certs using old keys, but I can’t connect to edge api from edge client on macos. Nor can edge routers connect to the controller api.

I have recreated all cas and end certs using private keys that were originally used for generating them. Is there something that I missed?

(25989)[2026-04-03T16:01:02.109Z]   DEBUG ziti-sdk:ziti_ctrl.c:982 ctrl_paging_req() ctrl[https://ziti.nenkoru.com:1280] starting paging request GET[/external-jwt-signers]
(25989)[2026-04-03T16:01:02.109Z] VERBOSE ziti-sdk:ziti_ctrl.c:987 ctrl_paging_req() ctrl[https://ziti.nenkoru.com:1280] requesting /external-jwt-signers?limit=25&offset=0
(25989)[2026-04-03T16:01:02.109Z]   DEBUG ziti-sdk:ziti_ctrl.c:147 start_request() ctrl[https://ziti.nenkoru.com:1280] starting GET[/external-jwt-signers?limit=25&offset=0]
(25989)[2026-04-03T16:01:02.109Z]   DEBUG ziti-sdk:ziti_ctrl.c:147 start_request() ctrl[https://ziti.nenkoru.com:1280] starting GET[/version]
(25989)[2026-04-03T16:01:02.109Z] VERBOSE tlsuv:http.c:632 http[ziti.nenkoru.com:1280](0x14b09a4d0): starting request[/external-jwt-signers?limit=25&offset=0]
(25989)[2026-04-03T16:01:02.109Z] VERBOSE tlsuv:http.c:650 http[ziti.nenkoru.com:1280](0x14b09a4d0): client not connected, starting connect sequence timeout[15000]
(25989)[2026-04-03T16:01:02.109Z] VERBOSE tlsuv:http.c:660 http[ziti.nenkoru.com:1280](0x14b09a4d0): staring connect
(25989)[2026-04-03T16:01:02.213Z]   DEBUG tlsuv:http.c:375 http[ziti.nenkoru.com:1280](0x14b09a4d0): tr_connect_cb sock[16] status = 0
(25989)[2026-04-03T16:01:02.213Z] VERBOSE tlsuv:http.c:391 http[ziti.nenkoru.com:1280](0x14b09a4d0): starting TLS handshake
(25989)[2026-04-03T16:01:02.320Z] VERBOSE tlsuv:tlsuv.c:476 tls[ziti.nenkoru.com@0x149e23020]processing connect: events=1 status=0
(25989)[2026-04-03T16:01:02.320Z]    WARN tlsuv:engine.c:869 0030FE6C01000000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:../src/nssl-3.6.1-c0028aa207.clean/ssl/statem/statem_clnt.c:2126:

(25989)[2026-04-03T16:01:02.320Z]   ERROR tlsuv:engine.c:900 openssl: handshake was terminated: SSL routines
(25989)[2026-04-03T16:01:02.320Z]   ERROR tlsuv:tlsuv.c:294 tls[ziti.nenkoru.com@0x149e23020]TLS handshake failed: certificate verify failed
(25989)[2026-04-03T16:01:02.320Z]   ERROR tlsuv:http.c:340 http[ziti.nenkoru.com:1280](0x14b09a4d0): handshake failed on TLS stream[0x149e23020]: software caused connection abort
(25989)[2026-04-03T16:01:02.320Z] VERBOSE tlsuv:tlsuv.c:182 tls[ziti.nenkoru.com@0x149e23020]closing stream
(25989)[2026-04-03T16:01:02.320Z]    WARN tlsuv:engine.c:1014 openssl shutdown[1]: A000197/SSL routines
(25989)[2026-04-03T16:01:02.320Z]    WARN ziti-sdk:ziti_ctrl.c:179 ctrl_resp_cb() ctrl[https://ziti.nenkoru.com:1280] request[/external-jwt-signers?limit=25&offset=0] failed: -53(software caused connection abort)
(25989)[2026-04-03T16:01:02.320Z]    WARN ziti-sdk:ziti.c:645 ext_jwt_singers_cb() ztx[2] failed to get external auth providers: software caused connection abort
(25989)[2026-04-03T16:01:02.320Z]    WARN ziti-sdk:ziti_ctrl.c:179 ctrl_resp_cb() ctrl[https://ziti.nenkoru.com:1280] request[/version] failed: -53(software caused connection abort)
(25989)[2026-04-03T16:01:02.320Z]    INFO ziti-sdk:ziti_ctrl.c:182 ctrl_resp_cb() ctrl[https://ziti.nenkoru.com:1280] attempting to switch endpoint
(25989)[2026-04-03T16:01:02.320Z]    WARN ziti-sdk:ziti_ctrl.c:582 ctrl_next_ep() ctrl[https://ziti.nenkoru.com:1280] no controllers are online
(25989)[2026-04-03T16:01:02.320Z]    WARN ziti-sdk:ziti_ctrl.c:338 internal_version_cb() ctrl[https://ziti.nenkoru.com:1280] CONTROLLER_UNAVAILABLE(software caused connection abort)
(25989)[2026-04-03T16:01:02.320Z]    WARN ziti-sdk:ziti.c:2151 version_pre_auth_cb() ztx[2] failed to get controller version: CONTROLLER_UNAVAILABLE/software caused connection abort
(25989)[2026-04-03T16:01:02.320Z] VERBOSE tlsuv:tlsuv.c:144 tls[ziti.nenkoru.com@0x149e23020]internal close

Endpoints of ziti.nenkoru.com:1280 and ziti.nenkoru.com:6262 both pointing to a current controller are active and public accessible. Both have new renewed certs using old keys.

It seems like that I have to update CAs on all the edge devices. Is that correct? Within the enrolled identity files.

If so, how does one supposed to renew CAs in the future in order not to manually update all the edge devices with renewed CAs if they are expired?

And does OpenZiti expect CAs to be valid forever?

Tried to patch identity json on my laptop to embed new CAs - it didn’t work. Going to re-enroll every device manually. I desperately need a way to auto re-enroll devices, perhaps would make a small public service that would verify previous identities and create a new enrollment.

But yeah, I need an answer on a question about what to do with expired CAs in the future. Sign ICA, Edge ICA, Network components ICA(as per my guide). Are they have to be essentially created with a lifetime expiration or not?

Got almost everything up and running, but had to re-enroll every identity that hosts services. Tomorrow will go through a painful process of re-enrolling every edge device that uses the network.

Hi @nenkoru, I would not have expected you to have to reenroll your devices. Did you generate the CAs to be valid for only 1 year? Is that where things went wrong? Your CAs should last longer than your server certs. By default, OpenZiti uses a 10year default on CAs. When the time comes to roll your CA out you would need to update the CA bundle that the controller has before your CAs/server certs expire. I believe the controller will notice this and inform the edge clients to pull the new bundle which they will do. It'll be important to have those CAs containing the new CA root so that when you switch it over, it'll be at the edge clients already.

That's my guess as to why you are needed to re-enroll.

Well I noticed the expiration(essentially non-working ziti network) after the fact certs expired. And as I was generating ‘end_certs’ right after the intermediate CAs - they basically expired at the same time. I haven’t tested yet the case where I renew the certs before the expiration, but I would definitely do so this weekend.

But yeah, re-enrolling edge devices was a pain in the ass =) Glad I just had a few dozens, not hundreds.

600 days as per my guide, so goes for ‘end_certs’