The PKI that is used by Ziti’s controller can be any PKI you wish. The controller essentially acts as an intermediate/root CA. Where that CA certificate comes from doesn’t matter as long as the controller can provide the correct bundle to enrolling routers and endpoints. I think some of our startup scripts do much of the setup for you (including creating a PKI) however that is not required.
OpenZiti currently does not support modes where it does not mint certificates. OpenZiti is pretty opinionated in that sense. It is something that can be changed. It does introduce new configuration scenarios, adds complexity, and does put more work on network admins.