Hi everyone,
I'm still working on getting my setup HA ready and in this context I came across a question:
With multiple controllers using different intermediate CAs (for signing) (thats whats presented in the docs on github), I could not get inter-router communication to work. The routers could not recognize their counterpart's certificates. This might be solved by initially pointing the routers to the same controller, but I did not test that yet and I fear that things might fail a little bit down the road.
Another option would be to let all controllers use the same intermediate CA, but I have the feeling that this is a bad idea. Will the CRLs be synced between the controllers?
In general, what is a recommendable structure of a PKI in case I want to have sets of a controller and a edge-router on two distinct networks?
Thanks in advance!
In any PKI verification is done to a trust anchor, commonly the root CA. When multiple intermediates are present in an environment, it is standard practice for every client and server to present a chain of certificates instead of just one. The format is order specific of the client/server leaf certificate first, followed by supporting intermediates.
Each component trusts the root CA, and when a client or server verifies a presented chain, it must verify to that root.
Another option would be to let all controllers use the same intermediate CA, but I have the feeling that this is a bad idea.
You shouldn't have to use the same intermediate. If each component properly presents its chain (clients and servers), it will validate back to the root CA,
Will the CRLs be synced between the controllers?
Controllers share/distribute/synchronize a data model, including identity/authentication information. So they all know about the same identities, routers, etc.
In general, what is a recommendable structure of a PKI in case I want to have sets of a controller and a edge-router on two distinct networks?
Do you mean two OpenZiti networks or two different underlay networks (i.e. the internet and internal network, or two cloud networks, etc.)
Thanks Andrew, that made it clearer for me.
I was trying to set up a HA cluster. I wanted to have one controller and one router in my home network and another set on my cloud VPS.
What I dont really understand is the configuration of the controllers regarding the certificates. From your response I understand that the certificate files should contain the entire chain, but not the root CA (Server certificate + Intermediate certificates). The CA would be in a separate file referenced by the "ca" config item below "identity".
Im a little bit confused when to use "server_cert" and when "cert".
The cert field is used to fulfill any request for a client certificate. The server_cert field is only used to fill requests for server certificates. If server_cert isn't define, cert will be assumed to have a certificate that is a client cert and a server cert.
The only difference between client certs and server certs are their X509 Key Usages, X509 Extended Key Usages, and SANs
Client Certs
- Usages
- Extended Key Usages
- SANs
- None required unless defined by the application using the certificate
Server Certs
- Usages
- Digital Signature
- Key Encipherment
- Extended Key Usages
- SANs
It is possible to make 1 certificate both a server cert and a client cert simply by fulfilling all the usage, extened key uses, and SANs. In which case you would only need the cert field. It is however, an uncommon practice. Most people issue a separate server and client certificate.
Background Context:
The format of identity configurations is an OpenZiti concept that spans all components. Controllers and routers use it within configuration files. SDKs usually use it inside of their own SDK configuration files as well. Within OpenZiti an identity configuration section may be used to define something that is a client, or a server and a client. SDKs are usually client only, routers are servers to SDKs and other routers and clients to other routers depending on the direction of the link establishment. Controllers are servers to router and SDKs, and also clients and servers to other controllers.
Word salad because describing direct graphs is hard.