Hi there, I am attempting to setup a simple Java example using the Java Ziti SDK version 0.25.1 (as I need Java8 support). When I first generated my JWT from Zac and called Enroller.fromJWT(<jwtPath>).
Initial I was getting a CertificateException No subject alternative DNS Name <hostname>
I was able to solve this by setting up an alternate certificate with a trusted CA cert.
After doing that, now I am getting an InvalidKeyException RSA verification keys must be RSAKey instances.
Any guidance on how to handle error and additional be able to support self signed certs for the DNS name.
Update: I have tested on Java 17 with the latest SDK and the above error still persists.
Hi @zHines, that's surprising to me. Would you have a small sample app that demonstrates the behavior I/we could try? That seems odd.
I think it'll help me/us to see what the code looks like. If you could put it on a github repo -- just a small example, that'd really be helpful for us to give you the best advice. "broadly" speaking, the OpenZiti controller serves a CA bundle from https://your.controller.url/.well-known/est/cacerts . This bundle is how OpenZiti bootstraps trust and is pulled down into your identity during the act of enrollment and put into your .json file. You can find it in there. One option is to leverage that url or that bundle from the identity if you need to make a secure connection to the controller (for example).
I think giving us a tiny program to try will help us help you best though. Hope that helps somehwat...
Hi Client, The code is pretty close to the example in the ziti repo. Below is the very minimal example. Pasting the JWT from Zac in there will fail on the second line in either of the above cases depending on my setup on the cloud side (DNS name if I haven't setup CA certs, RSA verification if I have)
package com.thing.example;
import org.openziti.identity.Enroller;
import java.io.IOException;
import java.security.*;
import java.security.cert.CertificateException;
/**
* Example class for enrolling into the Open Ziti Network.
* Modified from <a href="https://github.com/openziti/ziti-sdk-jvm/blob/main/samples/ziti-enroller/src/main/kotlin/org/openziti/ZitiEnroller.kt">ZitiEnroller.kt</a>
*/
public class ZitExample
{
public static void main(String[] args) throws KeyStoreException, CertificateException, IOException, NoSuchAlgorithmException
{
String jwt = "<paste jwt from Zac here>";
// TODO Below throws an exception on the DNS name of the cert or RSA verification key.
Enroller enroller = Enroller.fromJWT(jwt);
}
}