QuickStart Certificate Authority summary

I am working on some documentation to help understand the three PKIs that are used in the QuickStart example

The following is a high level summary. Does this make any sense?

Security overlay

Three different PKIs are used in the QuickStart example

  1. Control plane: Controller overall network PKI, used on port 6262
  2. Data plane: Controller REST API PKI, used on port 8441
  3. Signing PKI, used when enrolling identities into the network

note: because an Oracle compute does not have a private DNS name, I used the IP address… this is why the data plane has an IP naming convention… which would have otherwise been the private DNS name

Illustrative examples from the controller yaml file

Control plane certificate
cert: “…/pki/instance-20220416-1712-intermediate/certs/instance-20220416-1712-client.cert”
server_cert: “…/pki/instance-20220416-1712-intermediate/certs/instance-20220416-1712-2022-08-10_113108-server.chain.pem”
key: “…/pki/instance-20220416-1712-intermediate/keys/instance-20220416-1712-server.key”

Data plane certificate
ca: “…/pki/”
key: “/…/pki/”
server_cert: “…pki/”
cert: “…/pki/”

Signing certificate
cert: …/pki/instance-20220416-1712-signing-intermediate/certs/instance-20220416-1712-signing-intermediate.cert
key: …pki/instance-20220416-1712-signing-intermediate/keys/instance-20220416-1712-signing-intermediate.key

Illustrative examples from the public edge router yaml file

The following certificates are automatically created when you create a new public edge router, which is created from the controller PKI infrastructure.

cert: “…pki/routers/instance-20220416-1712-edge-router/client.cert”
server_cert: “/…/pki/routers/instance-20220416-1712-edge-router/server.cert”
key: “…pki/routers/instance-20220416-1712-edge-router/server.key”
ca: “…/pki/routers/instance-20220416-1712-edge-router/cas.cert”

Commands that you can use to explore the different endpoint certificates

controller REST API (Data plane certificate)
openssl s_client -connect -showcerts | openssl x509 -text

public edge router (Signing certificate)
openssl s_client -connect -showcerts | openssl x509 -text

controller edge (Control plane certificate)
openssl s_client -connect -showcerts | openssl x509 -text

fabric edge (Control plane certificate)
openssl s_client -connect -showcerts | openssl x509 -text

1 Like

PS… what it the purpose of the spurious intermediate certificate in the signing PKI… I imagine that its not used… and is an illustrative example… being spurious in nature :slight_smile:

1 Like

You’ve done an excellent job summing this up! This is very close to how I would have written it all up.

If this were a pull request to the doc site, I would only ask for cosmetic changes. I would reference $ZITI_PKI for the root pki path. That’s a variable established and referenced by the quickstart. Along those lines, there’s other variables used for replacement of the ip addresses in your examples.

In your ports summary you leave out 8441 from the signing CA , I understand why, but it’s used to authenticate and for other controller related activity so I would include it there and explain why/how it’s used.

This is an excellent summary and very clearly presented and if you wanted to put a pull request up against the docs site (ziti-doc) I’ll get around to incorporating it after this week sometime!


The purpose was to simply illustrate arbitrarily deep trust roots and to illustrate the ziti pki command can create certificate paths deeper that 1

1 Like

Thanks for the feedback… the summary is a part of a larger document that I have been drafting to support a production implementation. I will be sharing this shortly once I have made a few more amendments,

what is the best way to upload and share this with others?

Its more of a working document than a final version… and are very happy for others to also make a contribution on how it can be further improved.

As it is, it’s clear and helpful. Sure it’s not complete but it doesn’t make me ask too many extra questions. It’s better than we have currently, so anytime you want to contribute it back to the project, I think it will be relatively easy to accept. Until then, tweak what you want and put a pr up when ready.

1 Like