Not in the controller, no, but in order to complete the 3rd party CA enrollment process and verify the 3rd party CA, you will need to be able to produce a certificate with the given verification token as the CN of the certificate, issued by your CA. Here’s a video that covers that topic and is short Using 3rd Party CAs with Ziti CLI, and ZAC - YouTube. I just ran the commands from that video (found in the description) and when you use openssl to look at the cert it should look something like:
openssl x509 -in "$ZITI_PKI/${ca_name}/certs/${ca_name}.cert" -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
4d:d6:af:ce:9b:2b:1a:33:75:7d:ec:31:4d:ea:93:c0
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, L = Charlotte, O = NetFoundry, OU = ADV-DEV, CN = new_ca_233932
Validity
Not Before: Aug 17 23:38:38 2022 GMT
Not After : Aug 14 23:39:32 2032 GMT
Subject: C = US, L = Charlotte, O = NetFoundry, OU = ADV-DEV, CN = KBm3LeaTr
Here you can see the CN was set to the ‘verification token’ and the ‘Issuer’ is my 3rd party CA I just created now.
The endpoints will still need a private key and public cert from the CA. Those are often in the form of pkcs12, often a .p12 or .pfx file extension. Top google result for pkcs12. I expect that distribution is already handled/accounted for?