search

openziti / ziti

The parent project for OpenZiti. Here you will find the executables for a fully zero trust, application embedded, programmable network @OpenZiti
https://openziti.io
Apache License 2.0
2.26k stars 133 forks source link

Allow Expired Certs Per Identity Once #2094

Open andrewpmartinez opened 4 weeks ago

qrkourier commented 4 weeks ago

Is this aimed at recovering from a condition where a client cert's expired, to allow renewal, or is this more about changing the internal model such that client cert expiry can be enforced on a per-identity basis, or both?

andrewpmartinez commented 4 weeks ago
  1. SDKs can extend their certs, but don't. As the capability becomes implemented clients will begin to do so. This allows someone to enforce cert expiration w/o losing existing clients.
  2. It could also be used for recovery scenarios.