Hi,
I have an identity that I want to re-enroll using the same ZITI, without relying on a third-party CA.
By default, the certificate validity is set to one year.
Using the ZITI CLI, I need assistance with the following:
- How can I re-enroll the existing identity?
- How can I extend the certificate validity once it expires?
For reference, here is the current certificate's expiration date:
[opc@roshchou-ziticodetesting ziti]$ openssl x509 -enddate -noout -in 2.pem
notAfter=Jul 29 06:21:38 2025 GMT
Thank you.
Hi @sadaram, welcome to the community and to OpenZiti!
Yes it's true that identity is valid for a year by default. It's also true that the default policy will not enforce the expiration unless you alter the auth-policy (or make a new one).
I know we're doing work here at the moment for tunnelers, but I'm not sure there's a ziti CLI mechanism to reenroll at this time.
Are you looking to change the default auth policy and enforce expiration validation or do you have another use case in mind for that cert?
Thanks for the update, @TheLumberjack.
I'd like to know how to determine the default authentication policy for an identity and how to modify it (want to update the expiry).
Additionally, I'm concerned about a potential security issue if the default auth-policy doesn't enforce identity expiration. It seems necessary to update the policies to ensure identity security.
The certificate provides the first level of authentication, the identity still has to be provisioned. The mTLS connection has no value on its own, it only allows the next step. If an identity is deprovisioned, it will not be allowed to attach to the service. So while I understand the concern, it is not the same level of risk as say an expired TLS certificate on a site, as that is likely to be accepted as evidence of authentication wholly. The policy is what it is by default to allow large distributed networks to not have to update all the certificates annually, which can be a tremendous amount of effort. Of course, you can accept that consequence for increased security if you wish. It is always a trade off.