Hi Again,
This time i've got a question about CA certificate expiration.
I'm using Controllers in HA mode, v1.5.4.
When the intermediate CA certificate or root CA is renewed how does the ZET client configuration get updated with the new CA certificate bundle ? Is there an automated process or is it expected to be handled outside of Ziti ?
ZET periodically requests new bundle (via /.well-known/est/cacerts) and updates id.ca section in the identity file
you have to be careful when rolling the CA root certificate (keeping the old one in the bundle for a while should work fine)
Thanks @ekoby.
Are you able to tell me how often ZET periodically requests /.well-known/est/cacerts ? I've just been testing the process for rolling certs with short cert lifetimes so perhaps I've not waited long enough. Is it triggered in any other way ?
Must the old intermediates also be kept in the CA bundle when they are rolled too ?
If the intermediate expires and ZET fails to auth, is ZET still able to request an up to date bundle from /.well-known/est/cacerts ?
you shouldn't need to have intermediates in the CA bundle (.well-known/est/cacerts). Instead Controller API and ER endpoints should present intermediates during TLS handshake.
That way, if your intermediate expires you just need to reissue it along with requires leaf certs and SDK would connect fine.
SDK downloads a new bundle every time API session is acquired or refreshed
Thanks @ekoby.
If the ZET client is turned off while the intermediate is renewed and expires what happens ?
Will the clients trust chain will be broken because its client cert is signed by the expired intermediate. Therefore it will be unable to auth ?
How would the client recover ? Manual re-enrolment?