Skip to main content
Star us on GitHub Star

Certificate Management

Clients, routers, and the controller use x509 client and server certificates. Client authentication methods include certificates, but router and controller authentication always uses certificates.

Client and Routers with certificates from the internal Edge signer PKI may request new certificates by calling the Edge API. Routers always have certificates from the internal Edge signer PKI. Clients can also be created with certificates from external PKIs via 3rd Party CAs. Ziti can trust certificates from a configured external CA, but can not revoke or issue those certificates.

Router Certificate Extension

Routers will attempt to extend their current client and server certificates one week prior to expiration. No intervention is necessary on behalf of the network administrator. The request must be sent to the controller via a pre-authenticated connection. If a router has been disconnected from the Ziti network and their client certificates have expired, the router must be re-enrolled.

Client Certificate Extension

Clients may determine their own client certificate extension frequency. In order to extend their current client certificate issued by the Ziti PKI, they must issue the following REST request to either the Edge Management API or Edge Client API after becoming fully authenticated.

Client Certificate Extension

The Ziti SDKs provide helper functions for this process and issuing these requests manually should not be necessary.

The id necessary to extend a specific authenticator may be obtained by listing the client's current authenticators with GET edge/*/v1/current-identity/authenticators where * may be management or client. The CSR provided must be PEM encoded.


POST edge/client/v1/current-identity/authenticators/{id}/extend

"clientCertCsr": "-----BEGIN NEW CERTIFICATE REQUEST-----\n..."


A new CA bundle and client certificate will be returned PEM encoded.

"data": {
"meta": {}