emoscardini
commented
1 year ago Love this idea, makes great sense for bulk distribution of enrollments in combination with third party CA authentication.
Notes from meeting:
- Implementing this currently would require the consumption of the local machine certificate & not the current user certificate, since the ziti-edge-tunnel doesn't run on a per user basis at the moment. The local machine certificate are usually stored, in
Cert:\LocalMachine\My& will be issued with the local machine name. FYI, The location of the certificate within store can be configured via group policy. - This sort of implementation does have an inherent chicken/egg problem since the certificate will not exist until you join the AD domain. So the machine would need to be enrolled in AD before the Ziti client is activated.
To use a MS CA server where auto-enrollment is enabled (through Group Policy) would require the Ziti client to interact with the windows certificate store. Due to the way the Ziti client is installed, it would only be able to interact with the computer store, as Ziti has no concept of logged in user identity (AFAIK). By using the MS CA server, would remove the need to export the certificate (by default auto-enrollment certs do not allow export of the private key) and the associate hassle to use it (exporting certs into key and cert files).
When using MS CA autoenrollment, windows will manage the auto-renewal of the certificate (need to work this through doing this over a ziti network). Anyway, Ziti would need to look at the computer name, and then find the certificate in the certificate store and use that. However, the computer certificate will be replaced when close to expiry, so would need to be able to deal with this.