[Box Backup] Certificate information

Chris Wilson chris at qwirx.com
Tue Nov 6 15:38:34 GMT 2012

On Tue, 6 Nov 2012, Peter Jalajas, GigaLock Backup Services wrote:

>    ./keys/clientRootCSR.pem
>    ./keys/clientRootKey.pem
>    ./keys/serverRootCSR.pem
>    ./keys/serverRootKey.pem
>    ./roots/clientCA.pem
>    ./roots/clientCA.srl
>    ./roots/serverCA.pem
>    ./roots/serverCA.srl
>    ./servers/<ServerNickName>-cert.pem
>  Maybe someone can explain each of those files for us?

clientCA.pem: the CA which signs all client certificates. The server 
requires a client's certificate to be signed by this CA, or will not allow 
it to connect. All servers must have a copy of clientCA.pem to verify 

clientRootKey.pem: the key associated with clientCA.pem (I think).

clientRootCSR.pem: a temporary certificate signing request generated in 
the process of producing the self-signed client CA certificate 

clientCA.srl: the serial number of the last certificate issued by the 
client CA. OpenSSL keeps this in a file to avoid issuing certificates with 
duplicate serial numbers.

serverCA.pem, serverRootKey.pem, serverRootCSR.pem, serverCA.srl: as above 
but for servers. Clients require that any server which they connect to, 
presents a certificate signed by serverCA.pem. All clients must have a 
copy of serverCA.pem to verify this.

<ServerNickName>-cert.pem: the actual certificate issued to each client. 
Clients generate a key and CSR locally, send the CSR to the CA, which 
signs it (producing this certificate file as output) and returns it.

> I hope at least part of that is helpful to someone.  Suggestions and 
> corrections welcome.  I can put this on the trac wiki if anyone thinks 
> it'll help.

Yes please.

Cheers, Chris.
_____ __     _
\  __/ / ,__(_)_  | Chris Wilson <chris+sig at qwirx.com> Cambs UK |
/ (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Ruby/Perl/SQL Developer |
\__/_/_/_//_/___/ | We are GNU : free your mind & your software |

More information about the Boxbackup mailing list