Hi,
I have a question regarding certificate validity for Zrok identities.
I extracted my identity certificate:
jq -r '.id.cert' .zrok/identities/environment.json | sed 's/^pem://' | openssl x509 -noout -dates
notBefore=Jul 3 20:38:20 2025 GMT
notAfter=Jul 3 20:39:20 2026 GMT
another one:
jq -r '.id.cert' .zrok/identities/environment.json | sed 's/^pem://' | openssl x509 -noout -dates
notBefore=Apr 29 20:01:06 2025 GMT
notAfter=Apr 29 20:02:06 2026 GMT
public:
jq -r '.id.cert' .zrok/identities/public.json | sed 's/^pem://' | openssl x509 -noout -dates
notBefore=May 1 07:20:38 2025 GMT
notAfter=May 1 07:21:38 2026 GMT
Is there a supported way to extend the validity of an existing identity certificate?
Since some identities have accumulated a large number of services, each with complex Ziti policy rules, it has become impractical to create a new zrok environment (Ziti identity). This configuration has been built and refined gradually over the past year, and recreating it from scratch is not feasible.
zrok=> select z_id, permission_mode,reserved, created_at, share_mode from shares where environment_id=42 and deleted='f';
z_id | permission_mode | reserved | created_at | share_mode
------------------------+-----------------+----------+-------------------------------+------------
32hshgmBrKxqI1refSzW8I | open | t | 2025-05-01 12:16:51.443298+00 | public
1wCg4PxFt4gRHCTLEhAKyA | closed | t | 2025-11-16 12:10:37.453565+00 | public
3I7HwO3OW3fOwhdjJNwRUn | open | t | 2025-05-02 06:25:54.754335+00 | public
65dYWwLa5W8CaodzzOaXNW | open | t | 2025-11-18 05:51:05.225079+00 | private
4AWYCfUjcbw0Gqb9K6Wk76 | open | t | 2025-05-02 07:59:59.375519+00 | public
5tBbpLRxCvxtkUcgYEIgKW | open | t | 2026-03-15 09:37:14.386272+00 | private
1qckVqdrhmPI7JZoxNjQb2 | open | t | 2025-07-18 07:03:21.290531+00 | private
17pXhmLqsvzJz0vmOFkW8U | open | t | 2025-07-18 07:18:47.409427+00 | private
16Kl1zab8T9mFw559D2U4E | open | t | 2025-07-18 07:42:03.944003+00 | private
4TDIgoL24R7kDi6z3EQZCe | open | t | 2025-07-18 07:31:37.03129+00 | private
3xBIStjTE72ZT3UNxzsMFU | open | t | 2025-08-17 13:22:08.888521+00 | private
Aus1zAXp334UUd1QCtp8Y | open | t | 2025-08-19 11:41:16.040766+00 | private
(12 rows)
Most of these services are also shared by multiple identities. There is a very complex set of bind policies spanning different identities and routers, which makes rebuilding or duplicating the setup extremely challenging.
How to re-enroll the identity?
ziti edge create enrollment ott public -o /tmp/public.jwt
ziti edge enroll --jwt /tmp/public.jwt --out ~/.zrok/identities/public.json
or
ziti edge create enrollment ott ziti_id -o /tmp/environment.jwt
ziti edge enroll --jwt /tmp/environment.jwt --out ~/.zrok/identities/environment.json
Best regards