[Box Backup] Question about certificates

Chris Wilson boxbackup at fluffy.co.uk
Wed Aug 1 19:25:00 BST 2007


Hi Nuno,

On Wed, 1 Aug 2007, Nuno Fernandes wrote:

>>> Aparently bbstored-certs /etc/box/bbstored/certs init creates 2 root 
>>> CAs (one for clients and the other for servers). Why does it create 2 
>>> CAs?
>>
>> One is for validating servers, the other for validating clients. I 
>> think servers are just accepted as valid if they present a valid 
>> certificate signed by the server CA. For clients, the CN must match - I 
>> think it must BACKUP-<account number> (without zeros at the beginning), 
>> the certificate being signed by the client CA.
>
> Can't i use the same CA to validate servers and clients?

You can, but it's not secure. It allows one of your clients to pretend to 
be a valid server for any other client.

If you really want to do that, just set the ServerCA (on the client) and 
ClientCA (on the server) to point to the same certificate.

Cheers, Chris.
-- 
_____ __     _
\  __/ / ,__(_)_  | Chris Wilson <0000 at qwirx.com> - Cambs UK |
/ (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Perl/SQL/HTML Developer |
\ _/_/_/_//_/___/ | We are GNU-free your mind-and your software |



More information about the Boxbackup mailing list