# Certificates and their Uses

## Network Fandango Service

The following certificates are generated by the Network Fandango Service:

### Root CA
* X509 Certificate
* Trust anchor for all service issued TLS certs and JWT tokens. You can optionally use your own organisation's certificate infrastructure for this certificate.
* Issued By: `ICertificateService.CreateRootCertificateAsync`
* Obtain With: `ICertificateService.TryLoadRootCa` or `ICertificateService.TryGetRootPublicKey`
* Storage Keys: `ca.x509.root.pem`, `ca.x509.root.key`

### API TLS Certificate

* X509 Certificate
* HTTPS endpoint identity for nfsvc
* Issued By: `ICertificateService.IssueTlsCertificateAsync`
* Obtain With: `ICertificateService.TryLoadTlsCertificateAsync`
* Storage Keys: N/A (uses filesystem)

### JWT Certificate

* X509 Certificate
* Sign server-issued JWTs (enrollment tokens, etc.).
* Issued By: `ICertificateService.IssueJwtCertificateAsync`
* Obtain With: `ICertificateService.TryLoadJwtCertificateAsync`
* Storage Keys: N/A (uses filesystem)

### SSH User CA (OpenSSH CA for user certs)

* Sign user SSH certificates for ephemeral admin access.
* Issued By: `ICertificateService.IssueSshUserCertificateAsync`
* Obtain With: `ICertificateService.TryGetSshUserPublicKey`
* Storage Keys: `ssh_ca_key`, `ssh_ca_key_pub`

### SSH Host CA (OpenSSH CA for host certs)

* Sign host SSH certificates for devices so admins can verify host identity without managing known_hosts entries.
* Issued By: `ICertificateService.IssueSshHostCertificateAsync`
* Obtain With: N/A
* Storage Keys: `ssh_host_ca_key`, `ssh_host_ca_key_pub`

## Enrolled Network Fandango Hosts

Enrolled hosts download the Root CA public key and SSH public keys at the point of enrollment, in order to verify the identity of `nfsvc`, but these certificates are not generated on the enrolled hosts.

### mTLS Client Certificate
* X509 Certificate
* Identify the device to nfsvc over mutual TLS (agent calls, jobs, facts).