Hi team,
While exploring Ziti, I noticed that for every enrollment, the controller uses certificates from {CTRLURL}.well-known/est/cacerts.
Could someone elaborate on what this contains?
That's not the way I'd describe it exactly. OpenZiti, by default, is configured to create identities. Those identities need to be signed by some signing authority. The controller configuration file contains a setting for this certificate authority. You can find this setting in the edge.enrollment.signingCert
section...
After identities are created, to verify an identity the certificate chain will need to be verified. Clients, routers etc can pull the list of known CAs configured in the OpenZiti by accessing the URL you mention.
The cacerts endpoint is generally used during enrollment by the enrolling client to get the list of trusted CAs.
You may find RFC 7030 helpful, as this was a guide we used for secure enrollment.
This 5 Part Guide on Bootstrapping Trust, especially Part 5 also provides excellent background details.