Certificates and their Uses
Network Fandango Service
The following certificates are generated by the Network Fandango Service:
Root CA
- X509 Certificate
- Trust anchor for all service issued TLS certs and JWT tokens. You can optionally use your own organisation's certificate infrastructure for this certificate.
- Issued By:
ICertificateService.CreateRootCertificateAsync - Obtain With:
ICertificateService.TryLoadRootCaorICertificateService.TryGetRootPublicKey - Storage Keys:
ca.x509.root.pem,ca.x509.root.key
API TLS Certificate
- X509 Certificate
- HTTPS endpoint identity for nfsvc
- Issued By:
ICertificateService.IssueTlsCertificateAsync - Obtain With:
ICertificateService.TryLoadTlsCertificateAsync - Storage Keys: N/A (uses filesystem)
JWT Certificate
- X509 Certificate
- Sign server-issued JWTs (enrollment tokens, etc.).
- Issued By:
ICertificateService.IssueJwtCertificateAsync - Obtain With:
ICertificateService.TryLoadJwtCertificateAsync - Storage Keys: N/A (uses filesystem)
SSH User CA (OpenSSH CA for user certs)
- Sign user SSH certificates for ephemeral admin access.
- Issued By:
ICertificateService.IssueSshUserCertificateAsync - Obtain With:
ICertificateService.TryGetSshUserPublicKey - Storage Keys:
ssh_ca_key,ssh_ca_key_pub
SSH Host CA (OpenSSH CA for host certs)
- Sign host SSH certificates for devices so admins can verify host identity without managing known_hosts entries.
- Issued By:
ICertificateService.IssueSshHostCertificateAsync - Obtain With: N/A
- Storage Keys:
ssh_host_ca_key,ssh_host_ca_key_pub
Enrolled Network Fandango Hosts
Enrolled hosts download the Root CA public key and SSH public keys at the point of enrollment, in order to verify the identity of nfsvc, but these certificates are not generated on the enrolled hosts.
mTLS Client Certificate
- X509 Certificate
- Identify the device to nfsvc over mutual TLS (agent calls, jobs, facts).