Has anyone tried using smallstep’s free devops CA for ziti?
I am setting up a demo in my lab and would like to first try smallstep but eventually use like to setup google cert manager with the idea of using google idp for sso, or freeipa.
thanks
I don’t know if anyone has this yet, but for the PKI itself that OpenZiti uses for the overlay network itself (here, I mean almost exclusively routers), OpenZiti really should manage it’s own PKI. I wouldn’t encourage you try to change how that works.
For end users, services/people running a Ziti Desktop Edge for Mac/Windows/Linux (ziti-edge-tunnel), and for applications, you can “bring your own CA” like this, sure. Also, you can add “alternative server certs” to the controller and reconfigure ZAC to use alternative certs if you wish. That way the controller’s API presents a cert that is widely considered ‘trusted’, but you can (and should) still leave the OpenZiti PKI behind for OpenZiti to manage.
Third-party CA is probably the term you couldn’t find, if you are asking about client-side/edge-side certs. You can read up on that here: Public Key Infrastructure (PKI) | OpenZiti With OpenZiti, you do not need to trust even the overlay network. Your clients will negotiate truely end-to-end encrypted connections and with an external CA you don’t need to let OpenZiti manage/distribute those.
Hope that helps