ZDEW YubiKey Support

Does the ZDEW client currently support loading x509 certificates from a YubiKey or other HSM? I can't see any documentation or anything obvious in the UI.

Hi @bengcooper, welcome to the community and to OpenZiti!

I haven't tested it for a while, myself but the technical answer is "it should support yubikey, yes". The experience is very rough at the moment though because there hasn't been sufficient demand placed on making the feature more robust. We have to choose where to invest, and it's not been something people have demanded just yet.

That said, it SHOULD work, but it's been a minute since I've tried it, and there are no documents handy as to how to do it in a step by step manner.

So if you're needing an easy, white-glove type experience, it's not there yet. If you are willing to get a bit into the weeds, I can give it a try and report back with success/failure and steps... Let me know where you're leaning. :slight_smile:

Oh and as for "other certs" yes that should also work and is not as in the weeds as yubikey is, but it's also not "white-glove" at this time for the same reasons. OpenZiti does support 3rd party CA enrollment, and you can load your own certificates for your identities. I could show you that too if that's acceptable. It's on the roadmap to support interacting with the OS cert store, that's not something that works at this time.

Thanks for such a quick and clear reply! :slight_smile:

I'm more than happy to get my hands dirty - if you're able to get some sort of rough process worked out for using a YubiKey then that would be fantastic. Failing that knowing how to use 3rd party CAs would also be helpful, but we don't need to interact with the OS cert store.

Hi @bengcooper I have used (and I actually use it) on my Windows 11.
The identity is loaded into my yubikey and the only way to access some of my services is having the key.

I just followed the documentation YubiKey by Yubico | OpenZiti, but if you run into any issue, let us know.

1 Like

You also wrote this great blog! Enhance your Network Security with Zero Trust and OTP

Ok hang on... Yes, you can use Yubikey with TOTP (as posted in @natashell 's guide) -- OR -- you can use the (no longer published) ziti-tunnel... But that's not what we're doing here. :slight_smile:

The CSDK guru - @ekoby tells me that Yubikey will require openssl to work and the ZDEW is still using mbedtls.

So -- @bengcooper I'll show you how to use 3rd party CAs with ZDEW for now and when we move over to openssl (which is coming) I'll try to remember to post back here showing you how to use ZDEW with the Yubikey....

1 Like

Thanks all - that's really helpful :slight_smile:

I think I'll start with issuing keys to staff to use for TOTP, and then migrate to managed certificates once it's possible. Do you have a rough timescale for the switch to OpenSSL?

We've been talking about it actively... So "this year" sounds pretty safe but it might be sooner.
Keep an eye on the GitHub - openziti/desktop-edge-win: Provides a Ziti client for Windows repo. The releases specifically, we'll call out the move to openssl in the release notes.

I'm still whipping up some instructions on using 3rd party CA -- and TOTP :slight_smile: I'll post that back soon.

1 Like

Alright, sorry it took a while. We had a bug that @gooseleggs filed that actually coincided with getting these steps out the door. Make sure you are on version of the ZDEW.

Here's a video walkthrough

Powershell Commands shown from the video

ziti edge login $zitiCtrl -u $zitiUser -p $zitiPwd -y

ziti pki create ca --pki-root "${zitiPkiRoot}" --ca-file "$caName"

$rootCa=(Get-ChildItem -Path $zitiPkiRoot -Filter "$caName.cert" -Recurse).FullName
"root ca path: $rootCa"

ziti edge create ca "$caName" "$rootCa" --auth --ottca

$verificationToken=((ziti edge list cas -j | ConvertFrom-Json).data | Where-Object { $_.name -eq $caName }[0]).verificationToken
ziti pki create client --pki-root "${zitiPkiRoot}" --ca-name "$caName" --client-file "$verificationToken" --client-name "$verificationToken"

$verificationCert=(Get-ChildItem -Path $zitiPkiRoot -Filter "$verificationToken.cert" -Recurse).FullName
"verification cert path: $verificationCert"
ziti edge verify ca $caName --cert $verificationCert

$authPolicy=(ziti edge create auth-policy "$caName-auth-policy" --primary-cert-allowed --secondary-req-totp --primary-cert-expired-allowed)

ziti pki create client --pki-root "${zitiPkiRoot}" --ca-name "$caName" --client-file "$newUser" --client-name "$newUser"

$newUserCert=(Get-ChildItem -Path $zitiPkiRoot -Filter "$newUser.cert" -Recurse).FullName
$newUserKey=(Get-ChildItem -Path $zitiPkiRoot -Filter "$newUser.key" -Recurse).FullName

ziti edge create identity $newUser --auth-policy "$authPolicy"
ziti edge create enrollment ottca $newUser $caName

if ($PSVersionTable.PSVersion.Major -gt 5) { #powershell....
    $ottcajwt = (ziti edge list identities "name contains ""$newUser""" -j | ConvertFrom-Json).data.enrollment.ottca.jwt
} else {
    $ottcajwt = (ziti edge list identities "name contains \""$newUser\""" -j | ConvertFrom-Json).data.enrollment.ottca.jwt 

Set-Content -Path "$zitiPkiRoot\$newUser.jwt" -Value $ottcajwt -NoNewline -Encoding ASCII

& 'C:\Program Files (x86)\NetFoundry Inc\Ziti Desktop Edge\ziti-edge-tunnel.exe' `
    enroll `
    --jwt "$zitiPkiRoot\$newUser.jwt" `
    --cert $newUserCert `
    --key $newUserKey `
    --identity "C:\Windows\System32\config\systemprofile\AppData\Roaming\NetFoundry\${newUser}.json"