ZAC (manage certificate authorities)

I reviewed the documentation
[https://openziti.io/docs/learn/core-concepts/security/authentication/third-party-cas/](https://3rd party cas)

and it states that this page allows configuring external root certificates (CA), which can be used for external devices to register and access the network. My understanding is that if I have a client outside the Ziti network, I can add the client's certificate to the Ziti network, enabling the client to access the Ziti network directly. Is my understanding correct?

Also, the Ziti certificate is currently generated using Let's Encrypt. If I switch to another CA or encryption method , will it still be supported here?

"Kind of", is what that sounds like to me... I probably would not put it quite that way. I would say that 3rd party CAs allow devices to join/participate on the OpenZiti overlay that have certificates that are not owned nor maintained by the OpenZiti overlay itself.

A big difference is that you don't add the "client's certificate", you add the CA to your OpenZiti controller but you must verify you own the CA to do so. This means you can't trust arbitrary CA's in this way. It's 3rd party CAs that you own and operate. You still need to own and operate the CA because in order to verify the CA you'll need to verify it and verifying a CA requires you to create a certificate from the CA...

I would be surprised if that were true. You probably have an alternative server certificate for the controller and maybe web socket enabled routers, but all the identities are likely owned by the PKI that the controller setup originally -- not from LE.

That make sense?

Thank you for your reply!

Actually, my intention is to change the encryption method for the controller to meet my specific needs, instead of using RS256. I want to customize the SigningMethod , which involves certificates. That’s why I looked into the certificate management page. I was wondering if it's possible to configure other types of certificates to meet the requirements of a custom encryption method.

Right now the golang stuff will use RSA during enrollment by default but you can specify EC if you like using:

ziti edge enroll identity.jwt --keyAlg EC

I'm not sure what sorts of customizing you're looking to do nor why but it sounds like 3rd party CA might work for you, hard to know without more details but it sounds like you'll get it figured out and you can let us know how it goes. :slight_smile:

Thank you. Currently, this is just an idea of mine. Due to the consideration of custom encryption strategies, I will try to implement it. If I discover anything, I will update it here.

I am trying to use Let's Encrypt certificates to understand the functionality of a certain feature. I have generated cert.pem, chain.pem, fullchain.pem, and privkey.pem using Certbot. I added chain.pem to the certificate management system and created a new identity file with it. However, when I attempt to register on Android, I get an error message saying "client certificate is required for ottca enrollment."

I've reviewed the code and it appears that the issue is due to enroller.enroll(null, ks, name). I am now stuck and need to understand the complete validation process. What is the proper workflow to verify this functionality?

and IS AUTO ENROLLMENT , IS OTT ENROLLMENT , IS AUTH ENABLED , EXTERNAL ID ,Is it necessary to enable all of them?

No. You only need to enable the mechanism you want to support. You definitely need auth enabled if you want to use it for authentication. You also need to map the external id to an identity unless you're auto-enrolling.

What is the proper workflow to verify this functionality?

The proper flow is:

  • add the CA to ziti
  • obtain the 'verify' token from the controller CA endpoint
  • produce a certificate with the verify token as the common name (CN)
  • submit the certificate to the controller using ZAC or mgmt endpoint
  • create a key/cert to use to auth and submit it for authentication

Have you seen Creating Endpoint with your own Certificate Authority - #12 by TheLumberjack and the video https://www.youtube.com/watch?v=USMim65c4ic ?

That might help you out?

Thank you! I will check them out. This is exactly what I needed, and it’s very helpful to me.