Skip to main content
Star OpenZiti on GitHub Star
Version: Latest

3rd-party CA

OpenZiti supports adding identities where the key and certificate are provided by a 3rd-party CA.

Prerequisites

  • ZDEW 2.5.2+
  • a 3rd-party-ca (ca) has been configured and verified in the OpenZiti Network
  • an identity exists with an external-id properly mapped to a claim, see External Id & x509 Claims
  • The CA's JWT has been transferred to the computer running the ZDEW
Obtaining the 3rd-party CA JWT

Adding an identity to a Windows machine that uses a 3rd-party CA requires the user or an operator to obtain a JWT ahead of time. This can be done in two different ways.


Obtain the 3rd-party CA JWT - ZAC

Obtain a 3rd-party CA's JWT using the Ziti Admin Console. From the Authentication->Certificate Authorities page, click the icon in the JWT column for the appropriate CA and send the JWT to the user trying to add an identity.

ext-jwt-signer-basic


Obtain the 3rd-party CA JWT - shell

Alternatively, a request can be made to the OpenZiti controller's API to return the JWT. Make an HTTP GET to the controller's /edge/management/v1/cas/${ca_id}/jwt endpoint and save the JWT into a file. Using bash with curl this might look something like:

curl -X GET -sk \
-H "Content-Type: application/json" \
-H "zt-session: ${zt_session}" \
-o ${pki_root}/auto.jwt \
"https://my.openziti.controller.local:443/cas/${ca_id}/jwt"

Add the identity

With the JWT for the CA on the machine running the ZDEW, click the "ADD IDENTITY" button in the top right of the screen. After the context menu pops up choose "With JWT". In the file dialog, select the 3rd-party CA JWT file.

windows-with-jwt

After selecting the file, a dialog will appear asking for the key and certificate to use when adding the identity. Select the appropriate key and certificate and click "Join Network"

3rd-party CA