Open gooseleggs opened 1 year ago
Love this idea, makes great sense for bulk distribution of enrollments in combination with third party CA authentication.
Notes from meeting:
Cert:\LocalMachine\My
& will be issued with the local machine name. FYI, The location of the certificate within store can be configured via group policy.
To use a MS CA server where auto-enrollment is enabled (through Group Policy) would require the Ziti client to interact with the windows certificate store. Due to the way the Ziti client is installed, it would only be able to interact with the computer store, as Ziti has no concept of logged in user identity (AFAIK). By using the MS CA server, would remove the need to export the certificate (by default auto-enrollment certs do not allow export of the private key) and the associate hassle to use it (exporting certs into key and cert files).
When using MS CA autoenrollment, windows will manage the auto-renewal of the certificate (need to work this through doing this over a ziti network). Anyway, Ziti would need to look at the computer name, and then find the certificate in the certificate store and use that. However, the computer certificate will be replaced when close to expiry, so would need to be able to deal with this.