Skip to main content

Certificates and their Uses

Network Fandango Service

The following certificates are generated by the Network Fandango Service:

Root CA

  • X509 Certificate
  • Trust anchor for all service issued TLS certs and JWT tokens. You can optionally use your own organisation's certificate infrastructure for this certificate.
  • Issued By: ICertificateService.???
  • Obtain With: ICertificateService.???
  • Storage Keys:

API TLS Certificate

  • X509 Certificate
  • HTTPS endpoint identity for nfsvc
  • Issued By: ICertificateService.???
  • Obtain With: ICertificateService.???
  • Storage Keys:

JWT Certificate

  • X509 Certificate
  • Sign server-issued JWTs (enrollment tokens, etc.).
  • Issued By: ICertificateService.???
  • Obtain With: ICertificateService.???
  • Storage Keys:

SSH User CA (OpenSSH CA for user certs)

  • Sign user SSH certificates for ephemeral admin access.
  • Issued By: ICertificateService.???
  • Obtain With: ICertificateService.???
  • Storage Keys:

SH Host CA (OpenSSH CA for host certs)

  • Sign host SSH certificates for devices so admins can verify host identity without managing known_hosts entries.
  • Issued By: ICertificateService.???
  • Obtain With: ICertificateService.???
  • Storage Keys:

Enrolled Network Fandango Hosts

Enrolled hosts download the Root CA public key and SSH public keys at the point of enrollment, in order to verify the identity of nfsvc, but these certificates are not generated on the enrolled hosts.

mTLS Client Certificate

  • X509 Certificate
  • Identify the device to nfsvc over mutual TLS (agent calls, jobs, facts).
  • Issued By: ICertificateService.???
  • Obtain With: ICertificateService.???
  • Storage Keys:
Back to top