Best Practices for Security

Create an Admin Identity

The default admin identity is initialized with a password. Store the password in a secure location and create a new admin identity for certificate authentication.

Create an admin2 identity for certificate authentication

ziti edge create identity admin2 --admin --jwt-output-file admin2.jwt

Copy token to the admin device and enroll

ziti edge enroll admin2.jwt

Log in to https://ctrl.ziti.example.com:443 with an identity file

ziti edge login ctrl.ziti.example.com --file admin2.json

Certificate Authentication with the Console

1. Enroll an admin identity as shown above.

2. Unwrap the JSON file to obtain the certificate and private key.

   Unwrap the JSON file

   ziti ops unwrap admin2.json

3. Correct the filemode for the certificate and private key.

   Correct the filemode

   chmod -c u+rwadmin2.cert admin2.key
   Output

   mode of '/tmp/kenadmin2.cert' changed from 0000 (---------) to 0600 (rw-------)
   mode of '/tmp/kenadmin2.key' changed from 0000 (---------) to 0600 (rw-------)

4. Compose a keystore from the certificate and private key.

   openssl pkcs12 -export -in admin2.cert -inkey admin2.key -out admin2.p12 -name "admin2"

5. In you web browser, import the keystore in your client certificates.

6. Visit the console and punch to login button without entering a password.