External jwt signer

Can I use external jwt signer for edge router enrollment?

From my understanding its a 3 steps process - login, create and enroll.

ziti edge login mycontroller.com -u admin -p $PWD
ziti edge create edge-router myrouter -o enrollment_token.jwt
ziti-router enroll config.yaml --jwt enrollment_token.jwt

I would like to automate this process without having to use the admin credentials if possible. Please share any recommendations / best practices. TIA.

P.S - Love the documentation update. Its extremely helpful. :+1:

It can not do that, but it is an interesting idea. I’d be interested to know the use case. If you can mint a JWT from one system and use it what would be the difference in getting that JWT from Ziti?

The original implementation was aimed at endpoint users on desktop clients like Ziti Desktop Edge, upcoming browser client-less work, and the like. It was meant to allow those users to use external IdPs (like Google).

This is sort of continuation of my question from the other post

I get identity from internal CA, I can use that identity to request a oidc access token from my CA. If I could use that for enrolling router ( where controller verifies the token with my CA as oidc provider ), I was thinking I could avoid doing “ziti edge login …” for router enrollment.

Removing the ziti edge login and exchanging it for signing a JWT means that either a private key is present on the system that can sign JWTs or there is access to some other system that can do the signing. The latter seems fine, but the former (signing key on the router) makes my security sensibilities tingle.

oh no, you are absolutely right. JWT signing will happen on my internal CA. :slight_smile:

And the basis for requesting the jwt will be the identity assigned to that workload by the internal CA.