Third-party CA certificate management

"I would like to know the correct usage or application scenarios for identities created using third-party certificates in JWT format. I have watched the tutorial videos(https://www.youtube.com/watch?v=USMim65c4ic) and successfully registered and used the JWT identity on a tunnel. Similarly, can I use this JWT identity on client software, such as Windows, macOS, iOS, or Android? ----I tried, but it seems they do not support OTTCA registration. Is this type of JWT identity primarily intended for client-side or server-side usage?"

The purpose of this question is that I want to fully explore this part of the functionality. :grinning:


hi @zhaojun1217,

The Ziti Desktop Edge for Windows should work. Whether it's client or server side is irrelevant; it just matters whether the tunneler will authenticate.

The mobile tunnelers don't support 3rd party ca's at this time, but I believe it's on the plan to support it soon. I'm not sure if the Ziti Desktop Edge for Mac would work, I think it would but I've not actually tried it myself yet. I know ziti-edge-tunnel would work, but I'm not 100% certain that the ZDEM would. I think @smilindave26 would probably know.

I'm not sure if the Ziti Desktop Edge for Mac would work

Not yet. We plan to add support for the Apple tunnelers (desktop and mobile). Tracking in issues support enrolling identities that use 3rd party CA (OTTCA) · Issue #245 · openziti/ziti-sdk-swift · GitHub and support enrolling identities that use 3rd party CA (OTTCA) · Issue #184 · openziti/ziti-tunnel-apple · GitHub

2 Likes

Thanks, maybe I didn't set up the environment on Windows correctly. I assume CA JWT and regular JWT should be used in the same way? Let me try again

Thank you, I will keep an eye on it.

I still can't successfully enroll on Windows, it only shows "enroll failed."

[2024-09-13T07:30:48.705Z]  WARN ZitiDesktopEdge.ServiceClient.DataClient failed to enroll.  enrollment failed 

When using OTTCA enrollment, cert and key files should be required. With the tunnel, I can use the following command to enroll:

edge enroll \
  --jwt "${jwt_file}" \
  --cert "$ZITI_PKI/$ca_name/certs/${identity_name}.cert" \
  --key "$ZITI_PKI/$ca_name/keys/${identity_name}.key" \
  --idname "${identity_name}" \
  --ca "${identity_full_ca_path}" \
  --out "$ZITI_PKI/$ca_name/keys/${identity_name}.json"

Then I run ziti run -i xxx.json, but in the Windows Edge client, it only allows adding a JWT file. Should I place the cert and key files in a specific location?

A regular JWT file can successfully enroll.

Ah. Yeah. "works" vs "good user experience" are two different things and I should have been more clear. To use that identity on windows you would:

  • enroll the identity using ziti-edge-tunnel generally found at C:\Program Files (x86)\NetFoundry Inc\Ziti Desktop Edge\ziti-edge-tunnel.exe
  • move the identity to C:\Windows\System32\config\systemprofile\AppData\Roaming\NetFoundry
  • use the big button on the ui to stop / start the data service (or use net stop ziti/net start ziti)

That should work -- if not let us know. We are working on the ergonomics of this since it's not easy right now...

Thank you, it works perfectly now. It only needs to place the JSON file into the specified folder. The JSON file will contain the certificate and the key.

1 Like