OpenZiti Certificate Storage


I was wondering if it’s a good idea to store Ziti’s certificate (or 3rd party certs for Ziti) anywhere else that on the FS.

I’m thinking of some kind of secret manager, or etcd like database.

Does Ziti controller support these natively ?


It’s certainly “a good idea”! :slight_smile: It just needs to be implemented. Windows has a few different mechanisms to support it (notably “Credential Manager”). It’s just one of those things that needs to be implemented and it’s just not done yet.

1 Like

There are a few options discussed in this post.


Certificates are public information and storing them in a certificate store doesn’t provide any extra security. The bundles that software use for CAs is somewhat of an attack vector if someone could add an extra root CA to trust and then proxy a controller. However proxying the controller will cause issues with certificate authentication as the proxying server would also have to have the client certificates private key. Other authentication methods, JWT/updb, would be more susceptible. All of that assumes that an attacker has elevated privileges. If they have that, using any software level store (file, OS, etc.) won’t provide additional protection.

Private keys are more interesting attack targets. Again, securing them in software doesn’t provide any extra security with an administrator level attacker. Hardware based private keys that require physical access/passcodes+self-destruct do. At the lower levels of Ziti’s identity code we do support hardware backed keys. Using them requires technical knowledge and, depending on the hardware and the vendor support they provide, can be a struggle.

1 Like