-
Notifications
You must be signed in to change notification settings - Fork 3
/
pki_topology.puml
52 lines (38 loc) · 1.35 KB
/
pki_topology.puml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
@startuml
node rootExternalCA
note top of rootExternalCA
Suppose this is the root CA of your organization that is trusted
within the organization on every device, from the edge up to
the server.
You don't need to have a read access to the private key
of this CA. You just need to be able to sign the intermediate leaf CA.
If you have the root CA trusted within an organization, you won't need
to tackle with annoying HTTPs issues showing up in a browser.
end note
node openzitiICA
node NetworkComponentsICA
node EdgeICA
node SignICA
node NetworkComponentsServerCert
node NetworkComponentsClientCert
node EdgeServerCert
node EdgeClientCert
node (ManySignedIdentities)
note top of ManySignedIdentities
The ziti controller has to have an access some intermediate CA
to be able to sign off certs for identities.
You could have one intermediate CA to control everything, for eg
just openzitiICA.
But this way if the controller node is compromised you would vulnerable
for the total loss of trust and you would have to re-issue the whole pki.
end note
rootExternalCA --> openzitiICA
openzitiICA --> NetworkComponentsICA
openzitiICA --> SignICA
openzitiICA --> EdgeICA
NetworkComponentsICA --> NetworkComponentsServerCert
NetworkComponentsICA --> NetworkComponentsClientCert
EdgeICA --> EdgeServerCert
EdgeICA --> EdgeClientCert
SignICA --> ManySignedIdentities
@enduml