Kern Sibbald schrieb:
> Hello,
Hi,
>
> Unless I am mistaken, even if there is a duplicate CN as you fear, it seems
> to
> me it should pose no problems because the certificate would not match.
>
> Does someone more experienced with TLS know the answer to that?
Hmm. I'm not an expert but I've learned much of tls/ssl by installing
them on bacula 2 :-)
you must use for every IP/Hostname an own certificate.
But it's ok to use one key per machine with different related
certificates (you should know that one key can have much of
certificates) I do this.
I have a full TLS and PKI solution on test at the moment. I've created my own
root certificate so I can use trusted connections. The certificates
which are installed are related to:
1. Certificate for a access from a user.
2. Certificate for grant the bacula service.
3. Decryption Key for every user.
4. Decryption Key for bacula service.
5. Certificate for PKI Master encryption.
6. Certificate for PKI FD-Related encryption.
So I have one key for every real user (me at the moment, the server and
every (at the moment one) client)
or better understand:
Easy:
A. Every service which opens a port have a own cert.
B. Every clientmachine which opens a connection have a own cert,
including the bacula server, too.
Why:
The director will connect to the storage deamon.
In this situation the director is the client (B.) and the storage daemon is
the service (A.)
or:
The bconsole (B.) will connect to the director (A.)
or:
The director (B.) will connect to "a" file daemon (A.)
or:
The storage deamon (B.) will connect to the director (A.)
any more...?
If all is on the same machine under the same user:
A. is a service cert from a key related on the interface.
B. is a user cert from a key related from the [EMAIL PROTECTED]
On my server I'm using only one key with two certs created from:
eg. cn = bserver.localnet for A.
cn = [EMAIL PROTECTED] for B.
For a second fd client I use a different key but with two certs, too:
eg. cn = client.localnet for A.
cn = [EMAIL PROTECTED] for B.
For a bconsole I use an own key/cert:
eg. cn = [EMAIL PROTECTED]
Further information:
The cn for A. must the same configured in the rules for Address
The cn for B. can be all you want (include the one for A.).
But I'd trouble before I used good identified cn's.
Any questions?
MfG...
Pierre Bernhardt
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
