dovholuknf
commented
1 year ago The prevailing thought will be to pull the CA bundle regardless. Looking at the code, it sure seems like it was "done this way" on purpose a while ago, but I no longer remember exactly why.
see discourse for more details https://openziti.discourse.group/t/ziti-edge-enrol-identity-not-inserting-ca-bundle/814/30
It seems that if you have a PKI for the edge controller API, and a DIFFERENT PKI for the edge data plane, the enrollment of an identity will succeed but the logic that determines if the ca bundle needs to be pulled down will not trigger, and then when the identity tries to connect it will not be able to successfully connect to the routers.
code is at https://github.com/openziti/sdk-golang/blob/main/ziti/enroll/enroll.go#L232-L258