3rd Party CAs
3rd Party CAs allow external private key infrastructures (PKIs) to be imported into Ziti and used for client enrollment and authentication. Ziti does not allow external private keys from PKIs to be imported for 3rd party CAs. Creation and distribution of client certificates must be handled outside of Ziti.
3rd Party CAs represent x509 Certificate chains that have the CA:true
constraint. It is worth noting
that adding a x509 certificate as a 3rd Party CA will treat it as a trust anchor even if it is an intermediate CA.
3rd Part CAs validate partial chains back to a registered 3rd Party CA. If full chain validation is required, ensure
that the root CA is added as a 3rd Party CA and ensure authenticating clients provide their client certificate in
index zero and any required intermediate certificates afterwards.
Usage
3rd Party CAs can be used in the following manners:
- allows clients to enroll and authenticate automatically for at-scale network boarding - Auto CA Enrollment
- allows clients to enroll pre-created identities - OTT CA Enrollment
- allows clients to map to pre-created identities using
externalId
and X509 Claims
Create
Creating a 3rd Party CA has various option that will determine how the 3rd Party CA will be used and how client certificates will be validated. The following fields configure client authentication:
isAutoCaEnrollmentEnabled
- allows client certificates of the CA to automatically enroll when encounteredisOttCaEnrollmentEnabled
- allows client certificates of the CA to enroll if an identity with anottca
enrollment was createdisAuthEnabled
- allows client certificates of the CA to attempt to enrollexternalIdClaim
- configuration used to pull values out of the x509 client certificate used to match identityexternalId
, see External Id & x509 Claims
For Auto CA Enrollment an identity is created on first authentication. The following fields allow configuration of newly created identities:
identityRoles
- the identity roles to give to automatically enrolling identitiesidentityNameFormat
- the identity name format used to name automatically enrolling identities
On initial creation of a 3rd Party CA it will be in an unverified stated and must undergo verification. The following fields relate to verification:
isVerified
- read only field of whether this CA has been verifiedverificationToken
- read only displaying the verification token required to verify the CA
All other fields are for informational purposes:
name
- the name of the given CAfingerprint
- read only field of the sha1 fingerprint of the provided x509 certificatecertPem
- PEM encoded version of the CA
Verification
In order for a 3rd Party CA to be used authentication and enrollment it must first be verified. While in an unverified
state isVerfieid
will be false and verificationToken
will contain a random security token. In order to verify
the 3rd Party CA a certificate with the verificationToken
set as the common name must be signed by the certificate
provided for the 3rd Party CA.
Ziti CLI
The Ziti CLI can assist with creating a verification certificate in two ways. It can create the verification certificate and submit it or submit an already created certificate.
Create Verification Certificate & Submit
Access to the CA's certificate and private key is required.
ziti edge verify ca <name> --cacert <signingCaCert> --cakey <signingCaKey> [--password <caKeyPassword>]
Submit Verification Certificate
Access to a certificate with the verifiationToken
set as the common name and signed by the 3rd Party CA is required
ziti edge verify ca <name> --cert <pemCertFile>
Edge Management API
The Edge Management API accepts and id
in the URL path and x509 certificate PEM
as the body:
POST /edge/management/v1/cas/<id>/verify
—–BEGIN CERTIFICATE—–
MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG
...
HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==
—–END CERTIFICATE—–
External ID & X509 Claims
The base set of capabilities of x509 certificates do not allow the inclusion of custom private claims. Ziti internally uses x509-claims to allow claims data to be parsed from SANs and other fields. An example of this in other projects is SPIFFE. SPIFFE defines SPIFFE IDs which are stored in SVIDs.
3rd Party CAs support defining a set of x509 claims configuration that allows a claim to be matched to an identity
externalId
. The configuration is contained in an object in the field externalIdClaims
. When not defined, x509
client certificate authentication attempts to find an identity that is tied to an authenticator
by matching client certificates. Using x509 claims, the client is matched by the identity externalId
value.
The fields under externalIdClaims
is as follows:
location
- defines which value(s) in an x509 certificate will be processed:COMMON_NAME
,SAN_URI
,SAN_EMAIL
matcher
- defines how values fromlocation
will be filtered:ALL
,PREFIX
,SUFFIX
,SCHEME
matcherCriteria
- defines thePREFIX
,SUFFIX
, orSCHEME
to look for based onmatcher
parser
- defines how values fromlocation
filtered bymatcher
will be parsed:NONE
,SPLIT
parserCriteria
- defines the criteria to provide toparser
index
- should multiple values still be available afterlocation
,matcher,
andparser
processing the integer value here will be used from the set
CA Create/Update REST API
{
"name": "myCA",
"certPem": "—–BEGIN CERTIFICATE—–\nMIIDdTCCAHMU...\n—–END CERTIFICATE—–",
"externalIdClaims": {
"location": "SAN_URI",
"matcher": "SCHEME",
"parser": "NONE",
"parserCriteria": "",
"index": 0
}
}
Ziti CLI
ziti edge create ca myCa ca.pem \
--location SAN_URI \
--matcher SCHEME \
--matcher-criteria spiffe \
--parser "NONE"
ziti edge update ca myCa \
--location SAN_URI \
--matcher SCHEME \
--matcher-criteria spiffe \
--parser "NONE"
Location, Matcher, Parser
x509 claims are located, matched, and parsed. Location defines where the value(s) are sourced from, matching filters, and parsing allows for a single value to yield multiple claims.
Location
Location configuration sources value(s) from the x509 certificate
COMMON_NAME
- the common name of the certificateSAN_URI
- SAN URI fieldsSAN_EMAIL
- SAN email fields
Matcher & Matcher Criteria
Matcher and matcher criteria work together to filter fields. The matcher
uses matcherCritera
to perform basic
filtering.
Matcher values:
ALL
- returns all values (i.e. no filtering)PREFIX
- matches by the string prefix defined bymatcherCriteria
SUFFIX
- matched by the string suffix defined bymatcherCriteria
SCHEME
- a matcher that specializes in matching the protocol defined inmatcherCriteria
of a URI (used withSAN_URI
only)
Parser & Parser Criteria
Parser and parser criteria work together to turn individual values from location and matching into multiple values. Parsers allow a single value to contain more than one claim.
Parser values:
NONE
- perform no parsingSPLIT
- perform string splitting based on the string separator defined byparserCriteria