No. You only need to enable the mechanism you want to support. You definitely need auth enabled if you want to use it for authentication. You also need to map the external id to an identity unless you're auto-enrolling.
What is the proper workflow to verify this functionality?
The proper flow is:
- add the CA to ziti
- obtain the 'verify' token from the controller CA endpoint
- produce a certificate with the verify token as the common name (CN)
- submit the certificate to the controller using ZAC or mgmt endpoint
- create a key/cert to use to auth and submit it for authentication
Have you seen Creating Endpoint with your own Certificate Authority - #12 by TheLumberjack and the video https://www.youtube.com/watch?v=USMim65c4ic ?
That might help you out?