How to enroll with a client certificate from another CA with ziti-edge-tunnel

qrkourier · September 23, 2021, 5:56pm

I think this error means that I need to provide the CA certificate too, but the help doesn’t show how to do that. Is that the problem?

❯ ./ziti-edge-tunnel_0.17.16 help enroll
ziti-edge-tunnel_0.17.16 enroll: enroll Ziti identity
usage: ziti-edge-tunnel_0.17.16 enroll -j|--jwt <enrollment token> -i|--identity <identity> [-k|--key <private_key> [-c|--cert <certificate>]] [-n|--name <name>]

        -j|--jwt        enrollment token file
        -i|--identity   output identity file
        -k|--key        private key for enrollment
        -c|--cert       certificate for enrollment
        -n|--name       identity name

❯ ./ziti-edge-tunnel_0.17.16 enroll --cert ./ca/certs/kentestAA.cert --key ./ca/keys/kentestAA.key --jwt ~/Downloads/kentestCA.jwt --identity ./kentestAA.json --name "kentestAA custom name"
[        0.000]    INFO dk-c-src/library/ziti_enroll.c:94 ziti_enroll() Ziti C SDK version 0.26.4 @767abac(HEAD) starting enrollment at (2021-09-23T17:53:38.449)
[        0.000]   ERROR dk-c-src/library/ziti_enroll.c:126 ziti_enroll() dk-c-src/library/ziti_enroll.c:110 - check_cert_required(ecfg) => -9 (enrollment method requires certificate)
[        0.000]   ERROR programs/ziti-edge-tunnel/ziti-edge-tunnel.c:501 enroll_cb() enrollment failed: enroll failed(-9)

qrkourier · September 23, 2021, 8:40pm

The 3p CA was already verified, and I used ziti pki create client to generate the keyfile and issue the client certificate used in this example.

❯ ziti edge list cas 'name="kentestCA"' -j

{
    "data": [
        {
            "_links": {
                "jwt": {
                    "href": "./cas/mFQbLefA-/jwt"
                },
                "self": {
                    "href": "./cas/mFQbLefA-"
                }
            },
            "createdAt": "2021-09-23T17:37:39.308Z",
            "id": "mFQbLefA-",
            "tags": {},
            "updatedAt": "2021-09-23T17:39:32.770Z",
            "certPem": "-----BEGIN CERTIFICATE-----\nMIIF3zCCA8egAwIBAgIQDYJvC8zvnRHW+rxvazgG8zANBgkqhkiG9w0BAQsFADB5\nMQswCQYDVQQGEwJVUzESMBAGA1UEBxMJQ2hhcmxvdHRlMRMwEQYDVQQKEwpOZXRG\nb3VuZHJ5MRAwDgYDVQQLEwdBRFYtREVWMS8wLQYDVQQDEyZOZXRGb3VuZHJ5LCBJ\nbmMuIENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0yMTA5MjMxNzMyMTBaFw0zMTA5\nMjExNzMzMTBaMHkxCzAJBgNVBAYTAlVTMRIwEAYDVQQHEwlDaGFybG90dGUxEzAR\nBgNVBAoTCk5ldEZvdW5kcnkxEDAOBgNVBAsTB0FEVi1ERVYxLzAtBgNVBAMTJk5l\ndEZvdW5kcnksIEluYy4gQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIICIjANBgkqhkiG\n9w0BAQEFAAOCAg8AMIICCgKCAgEA1bKJLpS7zN3sZzNSZLpjyWLnMpsJulbJsZPg\nA0ycgAw3uJszPrwcFA6uDkbVtS0KBkKVt87NmRBIwktz+FiTuWTdbK1FVvl05R+u\nPqNjncMhCJ4X05yBnlEqc/7eqmdyFLFIvpLAaP7sinosWsFv9eN5X6HMq3T1mTVs\nIceIBkcatR2X22Yy3v5yPmhctSw56iX/cB5zSlEG3pLRCUAx07vESs7DaMuMrXRA\n9aWu8uF4BKaAvRxL4eSICXUeRvauYj7jyg7AlJ7TFgTPY6MeR5E0RMdbkA9byRCD\nhA7tLlyBjEZXkYJ/knrLFs1ZuEQF9IYRz46laJY2Jse7MizMqSRnBBtTF7TFn+XB\nQutPtP23SzHfFojdhkMeV1h6Zgskd7VcCldLkV/zv/BrukvYcTfrEaUp8kso9t4M\nSEc/gaqh+vBQaUw0qIF3S0ZWEvmF9MFo4ZZfgM6HG3MuA+f2BGHDwIiBQHrsVPUG\nMRnXCanHCTK7h6UPvCsze28r+Na1q8nN+Ex6nwrfxCGui3dBp+Z5HihBeHIoNYfv\nc3yE5yQS+RvDDgHnpXEwRLx4nqEiMEMG806G+CzHgZFB0VCTHKM//SKJ6QNNEfsa\n5/k+52Q98qA65FABblojRQ8XWRwgnEkabI1AQwq9hGtVAKo00wVQ5YnhcuYRTmCu\n8skykqkCAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8w\nHQYDVR0OBBYEFEm0hbqdze3JVhYeQYNoeLrW6j0bMB8GA1UdIwQYMBaAFEm0hbqd\nze3JVhYeQYNoeLrW6j0bMA0GCSqGSIb3DQEBCwUAA4ICAQBLDFqxP46t+AmaKzh9\nTjCgAt5WJR5g4XfQhJKfDUwrUwaQIzMYAlxslselwUs/O26sJ3S7yMXDcQwjJoC+\njFySMCR/nJFlTF4d2JM+k+KY8wVtzsQX99xjz+Km4EgOg9E5kMphfUp+xrH9VeBu\nUgvjU/koKsk0p4BTRdqMlhZBGwk7YAQFlc1CSLw3EmjfuVPT3VKzSh/pnfS/oXmr\ndODAB6TTn0bdWzLFaKA9IMje+Tk1yrcXpEk2fKLO1iJnfnITCiRw9ruaTSbkqAeC\nEqksYlXR+POfLg1CwNboOG0Vf9fvej+xlzpYkfkwvVrUHvv31DkWj3SlltZS9fpV\nCfYkPc+ioS+PsFVmi2ZN7CDcg2H3eB3+5/ZQB5XOGn2KAmy9Ti+2TSQQl2vW8gRL\n5U0kGYafaji37rCdKRJ9n0A8LFjEdkT6jE7rfRRrG3zkWg8f8sqqMR617n4I3qoj\nMugVyll7+E8p0n8tTjKqKWPjziOpQevx0KMHgGhFkKhxY2amiKIMFXbYtnR1l+Xm\nwcjjNwrJ8zBizWwIfNp81n8DFxbnGZ2QsNjqVOYANgQs9iI3TP62Y3MnzxT39ae4\nHE/1tMEH3QCOXAfJ2Tfc/lmKG3HdlrFBOe/OujOM+W3lsz5Pj9ETuScP2MdQETr5\nR+aBXUA/G59hzDC32kRjn4Z74Q==\n-----END CERTIFICATE-----\n",
            "fingerprint": "ae91bb62bd95102d14a501a1972468f348aa840c",
            "identityNameFormat": "[caName]-[commonName]",
            "identityRoles": [
                "cyan_endpoints"
            ],
            "isAuthEnabled": true,
            "isAutoCaEnrollmentEnabled": true,
            "isOttCaEnrollmentEnabled": false,
            "isVerified": true,
            "name": "kentestCA",
            "verificationToken": "UFn-R.fAb"
        }
    ],
    "meta": {
        "filterableFields": [
            "id",
            "createdAt",
            "updatedAt",
            "isSystem",
            "name",
            "fingerprint",
            "isVerified",
            "verificationToken",
            "isAutoCaEnrollmentEnabled",
            "isOttCaEnrollmentEnabled",
            "isAuthEnabled"
        ],
        "pagination": {
            "limit": 10,
            "offset": 0,
            "totalCount": 1
        }
    }
}

qrkourier · September 23, 2021, 8:53pm

Here is the CA’s re-usable JWT I was trying to use.

Topic		Replies	Views
Using ziti-edge-tunnel enroll Ziti Edge Tunnel	13	264	October 19, 2022
3rd Party Auto Enrollment Building/Development	4	121	January 31, 2024
Enrollment of Demo Service identity fails	5	165	October 30, 2023
Enrollment Failed ZDEW Ziti Desktop Edge for Windows	10	512	December 13, 2022
Windows Ziti-Tunnel Command Line	14	253	February 16, 2023

How to enroll with a client certificate from another CA with ziti-edge-tunnel

Related Topics