[Box Backup] Questions abut Certs

[Chris Wilson]

Hi Lee,

On Sun, 27 Jun 2010, lchalupa at seelink.org wrote:

> I'm using a third-party as a certificate authority (Go-Daddy).

I don't know if anyone has tried this before. I would expect some 
difficulty as you're breaking new ground.

To be honest the system is more secure if you run your own CA than if you 
let someone else sign client certificates for you. Also the common name 
must be completely under your control. I don't think GoDaddy will let you 
do what you need to do for this to work.

> So I assume that The CA related steps in the doc will be done with me 
> interfacing with the Go-Daddy application.

Not all of them. The server and clients need to know which CA to trust, 
and accounts still need to be created. However you would not do signing 
yourself.

> From reading the boxbackup documentation, the next step is to install 
> the certificate on the server:  The docs say that I need two files for 
> this task.   backup.seelink.org-cert.pem and clientCA.pem   2 problems 
> here:   1.  The file I got back from go-daddy end with .crt  not .pem. 

.crt doesn't mean anything. It's probably already in PEM format. If it's 
ASCII readable (base64-encoded) then it's probably PEM.

> 2.  Question: Where does the clientCA.pem come from?

Generated by the bbstored-certs utility.

> What is this file?

Used to tell the server which CA is allowed to sign client certificates, 
i.e. which clients it should trust. If you use GoDaddy's certificate here, 
then any certificate signed by GoDaddy (e.g. my website's SSL certificate) 
would be trusted. This may not be what you want.

> Is this required or optional?

Absolutely required, otherwise anyone could use your server and access 
other peoples' accounts.

> The related question is do I need to gd_bundle.crt 
> file returned from Go-Daddy.

I'm not sure if we verify certificate chains yet, sorry.

Cheers, Chris.