I think we will need @andrew.martinez to weigh in here. He might have a different approach I’m not familar with and he might correct my current understanding.
What you want to do, 100% makes sense to me. You want to maintain the whole PKI from the start to finish, including the network itself. So yeah, what you’re saying is entirely reasonable to me… But, yes. The two enrollments are different.
I think the expectation is that the network is its own, independent thing. You bootstrap the network once with the controller config - and it then the network manages the PKI for itself from then on out. It’s certainly far easier to allow the network to maintain itself in this way, but I think it makes doing what you want to do impossible at this time.
Router enrollment will pull the ca bundle from the controller, and write it to the file location specified in the config… it will create a private key at the location specified, and it’ll overwrite the cert/server_cert fields. I’m certain we can change this behavior if we decide to and it’s not already supported. But right now that’s how it will work, unless I’m wrong – which maybe I am!
The endpoints were always designed with the end operator in mind. Supporting 3rd party CAs, auto enrollment etc was all accounted for. So though we allow you to bring your own PKI for endpoints, I don’t think we support it yet for routers.
So assuming what I am trying to do won’t work, can I still do the usual “ziti-router enroll” with JWT using my internal CA values for controller and having a generated signing CA as part of the controller setup?
OR I need the full PKI for ziti components and only use my internal CA for endpoints?
Yes exactly. During the ziti-router enroll process, the certificates that will be returned from the controller and written to the identity.cert and identity.server_cert (on the router) will have been signed by the certificate specified in the controller’s edge.enrollment.signingCert.cert which will require the key specified in edge.enrollment.signingCert.key.
That means you’ll need an actual private key/cert combo in that field. So, although I haven’t done this myself, I would expect that to work, yes.
You can absolutely use your own server_cert from your own PKI but the key would need to be on that box too Perhaps that’s ‘obvious’ but stating the facts I don’t know if the ‘cert’ field is ever actually used on the controller at this time. I don’t think it is.
Also can I use my internal CA provided cert and key as identity for ziti cli ( instead of default admin ) i.e. i would like to enroll myself with my own x509 cert from internal CA and use that identity to operate.
### login somehow - I use zitiLogin
zitiLogin
### use the output of ziti login to find your ziti-cli.json file and assign it
ziti_cli_json="/home/ubuntu/.ziti/quickstart/ip-172-31-42-64/ziti-cli.json"
### strip the session from that file
zt_session=$(jq -r .edgeIdentities.default.token $ziti_cli_json)
### get the id of the ca - replace __ca_name_here__
ca_id=$(ziti edge list cas 'name = "__ca_name_here__"' -j | jq -r .data[].id)
### set your edge_controller_uri properly - if you use the quickstart it's this
edge_controller_uri="https://${ZITI_EDGE_CTRL_ADVERTISED}"
### run the curl, pipe it to jq and get the result
curl -sk -H "Content-Type: application/json" \
-H "zt-session: ${zt_session}" \
"${edge_controller_uri}/edge/management/v1/cas/${ca_id}" \
| jq -r .data[].certPem
Yes? I am pretty sure you can - but I have to admit that I’ve never done it using the ziti cli yet. It’s been on my todo list to figure out - but haven’t gotten to. I’ll putter around in ziti cli for a bit and see if I can figure it out. If you don’t hear back from me - I’ll get back to you tomorrow
I don’t see a particular setting to supply the certificate to the ziti edge login function. I’ll ask the rest of the team and see if there’s a way to accomplish it.I might just not know better.
I’d like to turn that second question into a different post - this topic has kinda deviated pretty heavily from the original title. Also the person I wanted to talk to about that isn’t around today.
Oh it just helps it not get lost by people is all because the person I want to comment on the topic isn’t around. It should also help other newcomers find the question (hopefully) if they end up having it. The video though should help you with #1 (i hope). If not - let me know what bits are missing.
@av-dev - i posted this question. Can you see if it's inline with what you're looking to do? I think I caught the spirit of your question but if not - toss a comment on it correcting me if you don't mind?
I don’t know if the ‘cert’ field is ever actually used on the controller at this time. I don’t think it is.
I am pretty sure you can - but I have to admit that I’ve never done it using the