CA and certificates store with NetFoundry

How are certificates stored on the NetFoundry controller? Are they in a vault? Is this a generic one or related to the cloud provider I pick to deploy my controller into (today AWS or Oracle)? Is there any way I can define how long these certs should last etc? How and when to roll them?

For any CA there are three major validation points for any certificate:

  1. Proper signatures - supported and required
  2. Expiration dates - supported and optional configuration
  3. OCSP, CRLs - Not currently supported and under development.

For expiration there are authentication policies that govern whether expired certificates allowed or not.

3rd Party CAs are stored in an internal database that the Ziti controller accesses. It is separate from the OS. The trust root is the certificate provided when adding the 3rd Party CA.