Questions from a newbie about my planned setup

qrkourier · October 16, 2024, 1:56pm

Yes, adding an extra_hosts DNS record to your external Docker bridge should have the same effect as adding the alias to the network spec on the quickstart container named "openziti."

As for re-issuing the controller's server leaf with customized DN, you'll need these usage hints from the CLI:

❯ ziti pki create server --help
Creates new Server certificate (signed by previously created Intermediate-chain)

Usage:
  ziti pki create server [flags]

Aliases:
  server, s

Flags:
      --allow-overwrite        Allow overwrite existing certs
      --ca-name string         Name of Intermediate CA (within PKI_ROOT) to use to sign the new Server certificate (default "intermediate")
      --curve string           If set an EC private key is generated and -private-key-size is ignored, options: P224, P256, P384, P521
      --dns strings            DNS name(s) to add to Subject Alternate Name (SAN) for new Server certificate
      --expire-limit int       Expiration limit in days (default 365)
  -h, --help                   help for server
      --ip strings             IP addr(s) to add to Subject Alternate Name (SAN) for new Server certificate
      --key-file string        Name of file (under chosen CA) containing private key to use when generating Server certificate
      --max-path-len int       Intermediate maximum path length (default -1)
      --pki-root string        Directory in which PKI resides
      --private-key-size int   Size of the RSA private key, ignored if -curve is set (default 4096)
      --server-file string     Name of file (under chosen CA) in which to store new Server certificate and private key (default "server")
      --server-name string     Common Name (CN) to use for new Server certificate (default "NetFoundry Inc. Server")
      --spiffe-id string       Optionally provide the path portion of a SPIFFE id. The trust domain will be taken from the signing certificate.

Global Flags:
      --pki-country string               Country (default "US")
      --pki-locality string              Locality/Location (default "Charlotte")
      --pki-organization string          Organization (default "NetFoundry")
      --pki-organizational-unit string   Organization unit (default "ADV-DEV")
      --pki-province string              Province/State (default "NC")

e.g.,

compose exec openziti ziti pki create server \
--pki-root "/home/ziggy/quickstart/pki" \
--server-name "my server" \
--ca-name "intermediate-ca" \
--pki-country "dnC" \
--pki-province "dnS" \
--pki-locality "dnL" \
--pki-organization "dnO" \
--pki-organizational-unit "dnOU" \
--dns "localhost,controller.openziti.my.domain" \
--ip "127.0.0.1,::1" \
--allow-overwrite

where

openssl s_client -connect 127.0.0.1:1280 <>/dev/null \
|& openssl x509 -noout -subject

gets

subject=C = dnC, L = dnL, O = dnO, OU = dnOU, CN = my server

EDIT: updated to add -server-name "my server" to set CN

Topic		Replies	Views
ZAC ports confusion Ziti Administration Console	4	19	February 13, 2025
Quick Start Console Port Confusion Ziti Administration Console	2	62	September 2, 2024
Issue with ZAC - “Edge Controller is not online” Ziti Administration Console	1	22	December 11, 2024
ZAC User Manual or Tutorial	56	434	April 26, 2024
So I'm really trying to embrace OpenZiti Support	6	47	January 20, 2025

Questions from a newbie about my planned setup

Related topics