Certificates

Introduction

SSL / TLS certificates are used to authenticate secure communication between Flynet Jubilant processes.

Each process that uses certificates must have the appropriate thumbprints in its primary configuration file. This is so the process can locate the certificate in the Windows Local Machine Certificate Store. The installer places the correct certificate thumbprints in the configuration files for each process.

During the first full install of Jubilant, the installer generates a root, two intermediate and various client and server certificates.

All install-time self-signed certs are RSA SHA256 with RSA 2048-bit public keys. Flynet does not have access to these certificates.

Updates

The update process extracts the thumbprints of the certificates from the Windows Certificate Store and places them in the file Certificates/Certificates.json. The installer uses the Certificates.json file to update the process config files.

Alternatives

All certificates may be replaced by other self-signed certificates or those provided by a third party such as Digicert.

The chain must validate in Windows Certificate Store.

The thumbprints must be provided in the Certificates/Certificates.json file at upgrade / install time.

Certificates are generated on first install. The upgrade process preserves these using the Certificates.json mechanism.

Generated Certificates

This is the complete list of certificates used by Jubilant. In the various process configuration files, the "GrpcConnectionPoints" section uses the Certificate Configuration ID to store the thumbprint of the required certificate.

One Root certificate
- Issued to Flynet Jubilant Root CA
- Installed in Windows Certificate Store\Local Computer\Trusted Root Certification Authorities
Two Intermediate certificates (one for normal runtime processes, the other for management processes)
- Issued to
  1. Flynet Jubilant Intermediate (for runtime actions)
    - Jubilant Certificate Configuration ID: ClientIntermediateCACertThumbprint
  2. Flynet Jubilant Intermediate Management (for administrative actions)
    - Jubilant Certificate Configuration ID: ClientManagementIntermediateCACertThumbprint
- Installed in Windows Certificate Store\Local Computer\Intermediate Certification Authorities
Two server certificates (one for runtime services, one for management services)
- Issued to
  1. Flynet Jubilant Server Service
    - Jubilant Certificate Configuration ID: ServerCertificateThumbprint
  2. Flynet Jubilant Management Server Service
    - Jubilant Certificate Configuration ID: ServerManagementCertificateThumbprint
- Installed in Windows Certificate Store\Local Computer\Personal
Two client certificates (one a runtime client cert, one a management client cert)
- Issued to
  1. Flynet Jubilant Client
    - Jubilant Certificate Configuration ID: ClientCertificateThumbprint
  2. Flynet Jubilant Management Client
    - Jubilant Certificate Configuration ID: ClientManagementCertificateThumbprint
- Installed in Windows Certificate Store\Local Computer\Personal

Configuration Names

The Configuration ID is the property name used in the "GrpcConnectionPoints" section in Jubilant configuration files to specify the thumbprint of the required certificate.