I did get auto-enrollment working with OpenZiti where a certificate from a third party CA (Windows) was used to autoenrol the identity into openZiti. This worked as expected. However, getting there was a mission and not, what I would say was repeatable, or ready for production deployment.
I did have some questions on this thread: https://openziti.discourse.group/t/3rd-party-ca-problems-questions/592/7 .
Basically it got too hard for a number of reasons which I have put in Github issues in help reduce the friction ( Support for Windows certificate store · Issue #550 · openziti/desktop-edge-win · GitHub), Natively import .pfx (PKCS #12) certificates · Issue #549 · openziti/desktop-edge-win · GitHub.
I decided that I would just go with the built in CA and let it that handle the renewals etc. Sending someone a jwt token to enroll is far easier than
a) Create a cert for the user/machine (Windows CA) (because it cannot reach into the Windows Cert store)
b) Having OpenSSL binary somewhere to extract the .key and .crt files from it (Github enhancement to import direct) as the cert comes as a bundle
c) Downloading the ziti command separate package to get the identity installed because ziti-edge-tunnel enrol does not work ( Unable to import identity through ziti-edge-tunnel · Issue #548 · openziti/desktop-edge-win · GitHub)
d) Then would need a check script for when the cert was expiring to replace it.
That was what I found.