A person with administrative rights to the Network instance creates a new identity.
The Ziti controller returns a JWT to be used as a one time token to register the new identity.
The administrator delivers the JWT to the endpoint by whatever means required. This is the true bootstrapping of the trust model, and should be well defined.
The JWT is parsed and information, such as the name of the identity and the address of the controller are parsed from the token
The server certificate is retrieved from the controller.
The JWT's signature is cryptographically verified with the controller's public certificate.
The Certificate Authority public key is retrieved via the controller's .well-known endpoint.
The CA is added to the client as a trusted certificate. This is the public key of the certificate used to sign all the certificates within the network instance, and is used to verify other nodes when connecting as well.
The endpoint generates a Certificate Signing Request and forwards it to the controller along with an enrollment request.
The token value (jti) in the JWT is used as a unique identifier for the controller to verify the endpoint. That token is held by the controller as well when created, and then deleted when it is "used", rending the JWT useless after the enrollment.
The controller validates the token value, and the information included in the CSR, signs the certificate, and returns it to the endpoint.
The endpoint stores the signed certificate.
The endpoint is now registered to the network, and has all the necessary certificates to identify itself and participate.