OpenZiti PKI distribution

rookiejtc · December 27, 2025, 12:14pm

Is there a guide somewhere on how best to integrate our own PKI into OpenZiti and reliably distribute the new certificates to all devices (including all existing clients)?
For xample also when renewing all certs after a couple of time.

TheLumberjack · December 27, 2025, 1:27pm

Hi @rookiejtc,

If you have an existing PKI and you want to integrate into it the best bet would probably be third-party CAs. You have to handle the distribution to clients. I would like to know why you'd want to do this though, is it for underlay-related reasons? (firewalls, dps, etc?) I'd like to understand what would make you want to do this just because it's often "extra work". But it should be doable.

If you allow the OpenZiti overlay to manage the PKI you still own and operate the PKI, it just allows the overlay to control the cert renewals etc. It's quite a bit easier because the overlay can do nearly all of it for you.

rookiejtc · December 27, 2025, 2:00pm

Hi. Thanks for your answer.
I am concerned aboput aktualizing the clients certificates anyway.
When using the openziti quickstart all certificates are good for one year.
I’m not sure how to renew all certificates including the client certs.
Is there for example a complete how to available how to renew the existing PKI including the client certificates? Many thanks in advance.

TheLumberjack · December 27, 2025, 3:00pm

All the edge clients and routers will update their own cert without intervention. the only cert you should need to worry about rotating for a year is the server cert for the controller. For that I find the ziti pki command to be very helpful.

Here's an example command that shows you how to regenerate that server cert:

ziti pki create server   --pki-root $ZITI_PKI \
  --ca-name $ZITI_PKI_CTRL_EDGE_INTERMEDIATE_NAME \
  --key-file "$ZITI_CONTROLLER_HOSTNAME-server" \
  --ip 127.0.0.1,::1 \
  --dns localhost,mgmt,mgmt.ziti,mgmt-addressable-terminators,cdaws.controller,controller-cdaws,cdaws-controller,$ZITI_CONTROLLER_HOSTNAME \
  --server-file 2025c-added-zitidns-serve

If you're using the quickstart, those values would have been popped out into the .env file at $HOME/.ziti/quickstart/$(hostname)/$(hostname).env so if you source that file, that command will "just work" but you should study it and see what it's doing if interested. Here i'm adding a bunch of different names to my server cert because I want a couple of extra names add to the cert's SANS

rookiejtc · December 27, 2025, 7:29pm

Thank you very much for your reply. I will try that. Wishing you all a happy 2026.

Topic		Replies	Views
Totally custom, self-maintained PKI Ziti Overlay	6	482	August 25, 2022
Smallstep and or google cert manager Support	1	196	June 14, 2023
How to update the certificates for OpenZiti(used by Zrok)? zrok	4	153	May 19, 2025
Certificate Expired General Questions	19	942	October 27, 2023
Vault + Ziti PKI Rotation Support	4	101	August 15, 2025

OpenZiti PKI distribution

Related topics