Skip to main content
Star us on GitHub Star

Best Practices for Security

Create an Admin Identity

The default admin identity is initialized with a password. Store the password in a secure location and create a new admin identity for certificate authentication.

Create an admin2 identity for certificate authentication
ziti edge create identity admin2 --admin --jwt-output-file admin2.jwt
Copy token to the admin device and enroll
ziti edge enroll admin2.jwt
Log in to https://ctrl.ziti.example.com:443 with an identity file
ziti edge login ctrl.ziti.example.com --file admin2.json

Certificate Authentication with the Console

  1. Enroll an admin identity as shown above.

  2. Unwrap the JSON file to obtain the certificate and private key.

    ziti ops unwrap admin2.json

  3. Correct the filemode for the certificate and private key.

    chmod -c u+rw admin2.cert admin2.key
    Output
    mode of '/tmp/kenadmin2.cert' changed from 0000 (---------) to 0600 (rw-------)
    mode of '/tmp/kenadmin2.key' changed from 0000 (---------) to 0600 (rw-------)

  4. Compose a keystore from the certificate and private key.

    openssl pkcs12 -export -in admin2.cert -inkey admin2.key -out admin2.p12 -name "admin2"

  5. In you web browser, import the keystore in your client certificates.

  6. Visit the console in your web browser. The browser will prompt with a list of imported client certificates. Select the one you imported in the previous step.

  7. Press the "LOGIN" button without entering a password.