You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
OpenSSL is the way forward and is required for certain features like PKCS11.
OpenSSL is more strict about verifying certificates. The self-signed (root) must be trusted, not merely the issuer of the leaf cert.
Critically, OpenZiti network admins must ensure that Ziti's CA bundle contains only root certs from CAs under their control (not third parties like LetsEncrypt, not intermediate issuers), and all server certs must be presented along with any intermediate issuer certs in the trust chain so they can be verified by trusting only the root.
The text was updated successfully, but these errors were encountered:
OpenSSL is the way forward and is required for certain features like PKCS11.
OpenSSL is more strict about verifying certificates. The self-signed (root) must be trusted, not merely the issuer of the leaf cert.
Critically, OpenZiti network admins must ensure that Ziti's CA bundle contains only root certs from CAs under their control (not third parties like LetsEncrypt, not intermediate issuers), and all server certs must be presented along with any intermediate issuer certs in the trust chain so they can be verified by trusting only the root.
The text was updated successfully, but these errors were encountered: