Certificates and their Uses

Network Fandango Service 
 The following certificates are generated by the Network Fandango Service: 
 Root CA 
 
 X509 Certificate 
 Trust anchor for all service issued TLS certs and JWT tokens. You can optionally use your own organisation's certificate infrastructure for this certificate. 
 Issued By: ICertificateService.CreateRootCertificateAsync 
 Obtain With: ICertificateService.TryLoadRootCa or ICertificateService.TryGetRootPublicKey 
 Storage Keys: ca.x509.root.pem , ca.x509.root.key 
 
 API TLS Certificate 
 
 X509 Certificate 
 HTTPS endpoint identity for nfsvc 
 Issued By: ICertificateService.IssueTlsCertificateAsync 
 Obtain With: ICertificateService.TryLoadTlsCertificateAsync 
 Storage Keys: N/A (uses filesystem) 
 
 JWT Certificate 
 
 X509 Certificate 
 Sign server-issued JWTs (enrollment tokens, etc.). 
 Issued By: ICertificateService.IssueJwtCertificateAsync 
 Obtain With: ICertificateService.TryLoadJwtCertificateAsync 
 Storage Keys: N/A (uses filesystem) 
 
 SSH User CA (OpenSSH CA for user certs) 
 
 Sign user SSH certificates for ephemeral admin access. 
 Issued By: ICertificateService.IssueSshUserCertificateAsync 
 Obtain With: ICertificateService.TryGetSshUserPublicKey 
 Storage Keys: ssh_ca_key , ssh_ca_key_pub 
 
 SSH Host CA (OpenSSH CA for host certs) 
 
 Sign host SSH certificates for devices so admins can verify host identity without managing known_hosts entries. 
 Issued By: ICertificateService.IssueSshHostCertificateAsync 
 Obtain With: N/A 
 Storage Keys: ssh_host_ca_key , ssh_host_ca_key_pub 
 
 Enrolled Network Fandango Hosts 
 Enrolled hosts download the Root CA public key and SSH public keys at the point of enrollment, in order to verify the identity of nfsvc , but these certificates are not generated on the enrolled hosts. 
 mTLS Client Certificate 
 
 X509 Certificate 
 Identify the device to nfsvc over mutual TLS (agent calls, jobs, facts).