Allow Edge Rest API Cert Login about ziti HOT 6 CLOSED

Yes please

from ziti.

Supporting key/cert alternative to password would be welcome. Still, I think the only way for the admin to obtain a cert is by POSTing a CSR to /edge/client/v1/current-api-session/certificates, and the obtained ephemeral cert is only valid for obtaining an API session token after adding a cert authenticator for the admin user's identityId. If that's accurate, then I feel like we need more than just a key/cert input params for the ziti edge login command.

If we use these ephemeral certs with the ziti CLI, we'd also need a renewal mechanism integrated with the CLI's session cache. That is a bit more complicated than the life cycle of a typical, long-lived edge identity. Could we add an enrollment operation that accepts a permanent password instead of one-time password? That way, the default admin could obtain a long-lived client certificate to use with the management API's cert authentication method.

from ziti.

Workaround cert auth

# tofu
curl --silent --show-error --fail --insecure \
    "https://minicontroller.ziti/.well-known/est/cacerts" \
| openssl base64 -d \
| openssl pkcs7 -inform DER -outform PEM -print_certs -out ~/Downloads/minicontroller-ca-bundle.pem

# login
curl \
    --request POST \
    --header 'content-type: application/json' \
    --data '{}' \
    --silent --show-error --fail \
    --cert ~/Downloads/zitiadmin-client.crt \
    --key ~/Downloads/zitiadmin-client.key \
    --cacert ~/Downloads/minicontroller-ca-bundle.pem \
    "https://minicontroller.ziti/edge/client/v1/authenticate?method=cert" \
| jq .data.token \
| xargs ziti edge login "minicontroller.ziti:443" \
    --yes --username admin \
    --token

from ziti.

ziti edge login --client-cert works now, but it's necessary to parse the certificate from the enrolled JSON identity config file. It would be more convenient to use the identity config file directly, e.g., ziti edge login --identity /tmp/admin-with-cert-auth.json where /tmp/admin-with-cert-auth.json is the enrolled JSON config file for an identity with isAdmin: true.

The easiest way to obtain a client cert for an admin identity is to create the identity with isAdmin: true and enroll the JWT. That results in a JSON identity config, but I can't use that JSON directly with ziti edge login, so I need to parse out the cert and key as separate files and use them with ziti edge login --clien-cert CERT --client-key KEY.

Workaround:

❯ jq -r '.id.key' < /tmp/admin-with-cert-auth.json | sed 's/^pem://' > /tmp/admin-with-cert-auth.key

❯ jq -r '.id.cert' < /tmp/admin-with-cert-auth.json | sed 's/^pem://' > /tmp/admin-with-cert-auth.cert

❯ ziti edge login miniziti-controller.192.168.49.2.sslip.io:443 \
    --username admin-with-cert-auth \
    --client-cert /tmp/admin-with-cert-auth.cert \
    --client-key /tmp/admin-with-cert-auth.key
Token: d34a3a91-f0ea-4f8f-a055-cbd8b45fb4b8
Saving identity 'default' to /home/kbingham/.config/ziti/ziti-cli.json

from ziti.

It would be useful if ziti edge login could parse the client cert and key from a Ziti-standard file representing an enrolled identity context as JSON.

from ziti.

I added this back in summer 2023 and @qrkourier confirms it succeeds. I think there's another feature request in here to allow an enrolled identity file to be used for auth as well, saving people the work of unwrapping the identity.

from ziti.