Totally custom, self-maintained PKI

This is a new question, born from @av-dev asking this question in a different thread.

Right now there doesn’t appear to be any way for me to fully bring my own PKI. I can for endpoints, but when it comes to the overlay network, it appears that OpenZiti wants to establish the PKI for itself. I’d like to be able to create the whole PKI on my own. Right now when enrolling a router, the act of enrolling that router will create a private key, pull the ca bundle from the controller, and write a client and server cert. That’s very friendly, but I’d like to be able to use my own PKI entirely and not have to deploy a sensitive privaet key out to the controller(s)/overlay for signing certificates at all.

Is that supported in OpenZiti?

The PKI that is used by Ziti’s controller can be any PKI you wish. The controller essentially acts as an intermediate/root CA. Where that CA certificate comes from doesn’t matter as long as the controller can provide the correct bundle to enrolling routers and endpoints. I think some of our startup scripts do much of the setup for you (including creating a PKI) however that is not required.

OpenZiti currently does not support modes where it does not mint certificates. OpenZiti is pretty opinionated in that sense. It is something that can be changed. It does introduce new configuration scenarios, adds complexity, and does put more work on network admins.


Thank you @andrew.martinez for the reply.

If I understand correctly, the “minting certificate” part is done by “edge → enrollment → signingCert” in controller configuration.

So I can use internal CA provided identity for “identity” section as well as “web → identity” section of controller config and can still make it work. Does that sound right?


Yes. Make sure the identity.server_cert/server_key match and the all of the SANs are correct for validation. Also ensure that your is correct as well (include your root CA and any intermediates between the root and the controller’s signing cert).

oh ok. I missed out the CA part. Currently I configured the “identity → ca” to contain only my internal CA bundle but that should contain the signing CA cert as well, right?

The controller will assemble the singingCert + ca together to make a chain. It doesn’t have to be in both places.


root -> intermediate1 -> intermediate 2 (used as signingCert)

root + intermediate 1 into ca
intermediate 2 into signingCert


root -> intermediate1 (used as signingCert)

root into ca
intermediate 1 into signingCert


root (used as signingCert)

root or <blank file> into ca
root into signingCert

I think I understand this but I would like to try it out to be sure :slight_smile: